CVE-2021-32292 is a security vulnerability discovered in json-c, a popular C library for parsing and manipulating JSON data. This issue, affecting versions through .15-20200726, opens the door for attackers to execute arbitrary code by exploiting a stack buffer overflow in the parseit function found in json_parse.c. In this post, I'll break down what happened, share example code, provide links to references, and walk you through the potential impact.
What is json-c?
json-c is a C library that lets applications parse, create, print, and manipulate JSON data in C or C++ projects. It’s widely used in Linux system components and open-source projects.
json-c official repo
Impact: Code execution (may allow an attacker to run arbitrary code on target systems)
- CWE: CWE-121: Stack-based Buffer Overflow
MITRE’s CVE entry
Where is the Vulnerability?
The issue is in the parseit function (inside json_parse.c), which does not properly check the size when parsing certain JSON input data. This unsafe handling can cause a classic stack buffer overflow, overwriting function return addresses on the call stack, leading to arbitrary code execution.
Here’s a simplified version from the vulnerable code (for learning purposes)
int parseit(char *input) {
char stack_buffer[128];
// The issue: copying input into stack_buffer without length checking
strcpy(stack_buffer, input);
// Do something with stack_buffer
return ;
}
In the real-world json_parse.c, the function is more complex, but the heart of the issue remains: unsafe string copying.
How does the exploit work?
Stack buffer overflows happen when more data than expected is copied into a local variable on the stack. If an attacker supplies a long enough JSON string, it overflows the buffer, overwriting adjacent memory — potentially including the function's return address. By carefully crafting the payload, the attacker can hijack the execution flow, possibly leading to code execution.
Proof-of-Concept Example
Below is a simple PoC showing how a malicious JSON input might exploit this bug. Note: Do not run this code on any machine you care about; it’s for educational purposes only.
Vulnerable Application
#include <stdio.h>
#include <string.h>
void parseit(char *input) {
char buffer[128];
strcpy(buffer, input); // Vulnerable: No length check!
printf("You entered: %s\n", buffer);
}
int main(int argc, char **argv) {
if (argc < 2) {
printf("Usage: %s <json_string>\n", argv[]);
return 1;
}
parseit(argv[1]);
return ;
}
Exploit Usage
./vuln_program $(python3 -c 'print("A"*200)')
This will overflow the buffer and can potentially overwrite the return address. In real exploits, the payload would be designed to point to malicious shellcode.
References
- Original CVE Details
- Debian Security Advisory (DSA-4931-1)
- json-c GitHub Repository
- json-c Security Issue #656
- CWE-121: Stack-based Buffer Overflow
If you use json-c in your projects
1. Update Immediately: Upgrade to the latest json-c version (.16 or newer) where the issue is fixed.
Practice Safe Coding: Never use unsafe functions like strcpy with untrusted input.
> If you're maintaining systems that rely on any C-based JSON library, regularly check for security updates.
Conclusion:
CVE-2021-32292 is a prime example of why old-school bugs like buffer overflows are still dangerous today. Always keep dependencies up to date, and watch out for unsafe code patterns!
Timeline
Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/31/2023 04:15:00 UTC