The yajl (Yet Another JSON Library) is a popular open-source library written in C that is widely used for parsing and generating JSON data. Recently, a critical vulnerability has been discovered in the memory handling of the yajl_tree_parse function in version 2.1., which could lead to server crashes due to memory leaks. This vulnerability has been assigned to CVE-2023-33460, and in this post, we will take a deep dive into the nature of the vulnerability, a code snippet demonstrating it, links to original references, and exploit details.

Vulnerability and Code Snippet

The yajl_tree_parse function serves as the main function to parse JSON data into a tree-based data structure within yajl. When the function is called with invalid JSON input, it is supposed to handle the error and clean the memory allocated during the parsing process. However, version 2.1. of the library fails to do so, leading to a memory leak.

Here's a simple code snippet demonstrating the vulnerability through an infinite loop calling yajl_tree_parse with an invalid input:

#include <stdio.h>
#include <yajl/yajl_tree.h>

int main(int argc, char *argv[]) {
    const char *invalid_json = "{ \"key: \"value\" }";

    while (1) {
        yajl_val node = yajl_tree_parse(invalid_json, NULL, );

        if (node) {
            yajl_tree_free(node);
        }
    }

    return ;
}

In the snippet above, the memory allocated for the tree data structure will not be properly deallocated when the yajl_tree_parse function encounters the invalid JSON, resulting in a memory leak that can ultimately crash the server.

Original References and Exploit Details

The vulnerability was initially reported on the yajl Github repository on issue #190 and further discussed on issue #191. The specific problem resides in the fact that the yajl_tree_parse function incorrectly handles invalid JSON inputs. This memory leak vulnerability poses a considerable threat, as it can be exploited by a remote attacker to create a Denial of Service (DoS) condition by continuously sending invalid JSON inputs to a server that utilizes yajl.

A patch for this vulnerability was provided by a community member and can be found here. The patch involves modifying the yajl_buf.c file, which is responsible for managing memory allocation and deallocation within the library.

Conclusion

CVE-2023-33460 exposes a crucial vulnerability in yajl 2.1. that can lead to server crashes due to memory leaks. Therefore, it is imperative for developers and system administrators who rely on this library to update their systems with the provided patch or switch to an alternative JSON parsing library. By addressing this issue, we can prevent potential DoS attacks and ensure the stability and security of our systems.

Timeline

Published on: 06/06/2023 12:15:00 UTC
Last modified on: 08/05/2023 19:15:00 UTC