0x00 vulnerability background 2019 9 November 5, 360CERT monitoring to 2019 9 November 3 fastjson in the commit 995845170527221ca0293cf290e33a7d6cb52bf7 presented is designed to repair when the string contains\x escape characters may lead to OOM issues of repair. 360CERT determine the vulnerability to hazards in. The impact is large. The attacker can send the constructed request and causes the current thread to paralysis, when sending the malicious request is too large may make the business directly to paralysis. Recommendations the majority of users of their services/products for Assembly of self-examination, to prevent their business is under attack.
0x01 vulnerability details Vulnerability of key points in the com. alibaba. fastjson. parser. JSONLexerBase#scanString, when the incoming json string, fastjson will Bit By Bit get the json string, when recognizing strings as\x is at the beginning, it will default after the acquisition of two characters, and after two-bit characters with\x stitching turn it into a complete HEX characters to deal with: ! And when the json string is\x at the end, since fastjson and not its check, will cause it to continue to try to get after two of the characters. That will get directly to\u001A which is the EOF of: ! When fastjson back again for analysis when repeated to obtain the EOF, and writes it to memory until the trigger oom error: ! The final effect is: !
0x02 impact version fastjson
0x03 repair recommendations 1.1.15~1.1. 31 version update to 1. 1. 31. sec07 version 1.1.32~1.1. 33 version updated to 1. 1. 33. sec06 version 1.1.34 version update to 1. 1. 34. sec06 version 1.1.35~1.1. 46 version updated to 1. 1. 46. sec06 version 1.2.3 to 1.2. 7 version updated to 1. 2. 7. sec06 version or 1. 2. 8. sec04 version 1.2.8 version update to 1. 2. 8. sec06 version 1.2.9~1.2.29 version update to 1. 2. 29. sec06 version
0x04 timeline 2019-09-03 fastjson submitted patch commit 2019-09-05 360CERT warning
0x05 reference links https://github.com/alibaba/fastjson/commit/995845170527221ca0293cf290e33a7d6cb52bf7 https://github.com/alibaba/fastjson/pull/2692/commits/b44900e5cc2a0212992fd7f8f0b1285ba77bb35d#diff-525484a4286a26dcedd7d6464925426f