Tencent RapidJSON, a high-performance JSON library, has been found to be vulnerable to privilege escalation attacks due to an integer underflow issue in the "GenericReader::ParseNumber()" function of the "include/rapidjson/reader.h" header. An attacker can exploit this vulnerability by sending a victim a specially crafted file, which, when opened and parsed, can lead to the elevation of privilege, potentially allowing an attacker to execute arbitrary code or tamper with sensitive data.
Technical Details
The vulnerability exists in the GenericReader::ParseNumber() function of the include/rapidjson/reader.h header when attempting to parse JSON text from a stream. Specifically, due to improper bounds checking when parsing numbers in scientific notation, malformed JSON text can cause an integer underflow, leading to the unauthorized elevation of privilege.
Here is the code snippet where the vulnerability occurs
template<typename InputStream, typename OutputStream>
bool GenericReader<InputStream, OutputStream>::ParseNumber(InputStream& is, Token& token) {
...
// Parse scientific part
if (HasFlag(PARSE_NUMBERS_AS_STRINGS_FLAG)) {
...
} else {
if (is.Peek() == 'e' || is.Peek() == 'E') {
...
// Parse exponent
...
}
}
// After parsing exponent, parse final number and check for underflow
int exp = expFrac - expSign * expInt;
if (exp < minValue) {
// Integer underflow occurs here due to insufficient bounds check
...
}
}
The above code attempts to parse the exponent in scientific notation and then calculate the final value. If the exp variable is less than the minimum value allowed (which can be achieved by providing a crafted input), an integer underflow can happen. This underflow can lead to the elevation of privilege.
Exploit Details
To exploit this vulnerability, an attacker can create a specially crafted JSON file containing a number in scientific notation with a crafted exponent to trigger the integer underflow. The attacker would then have to convince the victim to open and parse the file using the compromised version of Tencent RapidJSON library.
While this vulnerability may require some user interaction, it is still a highly feasible attack vector, as JSON files are commonly used for configuring applications and exchanging data between heterogeneous systems. Once the crafted JSON file is opened and parsed, the attacker gains unauthorized elevated privileges which they can use to execute arbitrary code or tamper with sensitive data.
Mitigation
To mitigate this issue, users are advised to update their Tencent RapidJSON library to the latest version, as the vulnerability has been addressed. Additionally, users should exercise increased caution when opening JSON files from untrusted sources, as they may contain crafted content designed to exploit this vulnerability.
To patch the software, the developers must ensure proper bounds checking is in place to avoid such integer underflows during the parsing process. Proper input validation and error handling can also prevent the vulnerability from being exploited.
References
1. Tencent RapidJSON Github Repository
2. CVE-2024-38517 - NVD Details
3. RapidJSON Parsing - Documentation
4. Integer Underflow - OWASP
In conclusion, Tencent RapidJSON's privilege escalation vulnerability caused by integer underflow in the GenericReader::ParseNumber() function can be exploited by attackers who trick users into opening maliciously crafted JSON files. To protect themselves, users must update their RapidJSON library to the latest version and exercise caution when handling JSON files from unknown sources. Developers can patch the vulnerable code by implementing proper bounds checking, input validation, and error handling.
Timeline
Published on: 07/09/2024 19:15:12 UTC
Last modified on: 07/11/2024 13:06:13 UTC