Executive Summary

The vulnerability exists in lwjson version 1.8.1 within its streaming JSON parser component (lwjson_stream.c). It is caused by improper input validation related to how the parser detects the end of a JSON string.

Specifically, the parser incorrectly identifies escaped quote characters by only checking the immediately preceding character instead of counting consecutive backslashes. This flaw causes valid JSON strings that end with an escaped backslash (for example, "\\") to never properly terminate parsing.

As a result, a remote attacker can send well-formed JSON data that exploits this logic error to cause applications using the lwjson_stream_parse() function to hang indefinitely.

This leads to a denial of service condition.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing applications that use the vulnerable lwjson streaming JSON parser to become unresponsive or hang indefinitely.

A remote attacker can exploit this by sending specially crafted JSON data, resulting in a denial of service (DoS) condition.

This can disrupt normal operations, potentially causing downtime or degraded service availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for applications using lwjson version 1.8.1 or earlier that process streaming JSON data. Specifically, detection involves identifying if the application hangs or becomes unresponsive when receiving JSON strings ending with an escaped backslash (e.g., {"a":"\\"}).

To detect exploitation attempts on your network, you can look for incoming JSON payloads containing strings that end with an escaped backslash, which may cause the parser to hang.

Suggested commands for detection include using network traffic inspection tools like tcpdump or Wireshark to filter JSON traffic and search for suspicious payloads:

• tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E '\\"\\\\\\\\\\"'
• Use application logs to identify hangs or crashes related to JSON parsing.

Additionally, testing the application with crafted JSON inputs that end with escaped backslashes can help confirm if the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Avoid processing untrusted JSON input that contains strings ending with escaped backslashes.
• Implement input validation or filtering to reject JSON payloads with potentially malicious strings that could trigger the parser hang.
• If possible, update or patch the lwjson library to a version where this vulnerability is fixed.
• Monitor application behavior for hangs or denial of service symptoms and restart affected services if necessary.

Useful 0 Not Useful 0