ormpp icon indicating copy to clipboard operation
ormpp copied to clipboard
verified publisher icon qicosmos

SEGV by using vulnerable component version of iguana (iguana::from_json) from config_manager::from_file

Open kost opened this issue 2 months ago • 0 comments

Summary

ormpp is using vulnerable component version of iguana (iguana::from_json) from config_manager::from_file. ormpp automatically feeds user data into iguana’s textual parsers is the optional configuration helper in ormpp/ormpp_cfg.hpp. config_manager::from_file loads the entire file into a std::string and calls iguana::from_json on whatever type you pass in.

ormpp comes bundled with vulnerable version. Iguana have following reported issues in its current version included: https://github.com/qicosmos/iguana/issues/368 https://github.com/qicosmos/iguana/issues/369 https://github.com/qicosmos/iguana/issues/370 https://github.com/qicosmos/iguana/issues/371

Versions

Versions tested and affected:

  • 0.2.0
  • latest git master
$ git rev-parse HEAD
9cca9bcb9097d16ebef76a18bbe1c9a93bb51a0b

Build and test platform

Ubuntu 24.04.3

Test case

 $ clang++ -std=c++20 -g -O1 -fsanitize=address -I. -Ithirdparty \
    config_manager_poc.cpp -o config_manager_poc
$  ASAN_OPTIONS=detect_leaks=0:abort_on_error=0 ./config_manager_poc

  // config_manager_poc.cpp
  #include <map>
  #include <optional>
  #include <string>
  #include "ormpp/ormpp_cfg.hpp"

  struct Credential {
    std::string user;
    std::optional<std::string> secret;
  };
  YLT_REFL(Credential, user, secret);

  struct JsonConfig {
    std::vector<std::string> es;
    std::map<int, Credential> fallback_credentials;
  };
  YLT_REFL(JsonConfig, es, fallback_credentials);

  int main() {
    JsonConfig cfg{};
    if (!ormpp::config_manager::from_file(cfg, "evil_cfg.json")) {
      return 1;
    }
    return 0;
  }

PoC input: evil_cfg.json

evil_cfg.json

Latest git master

Expect the same crash:

================================================================= ERROR: AddressSanitizer: SEGV on unknown address … #0 iguana::can_follow_number(char) ./iguana/json_util.hpp:237 #1 iguana::detail::from_json_impl<int,...> #2 iguana::detail::from_json_impl<std::map<int, Credential,...>> #3 iguana::from_json<JsonConfig>(...) #4 ormpp::config_manager::from_file(JsonConfig&, …)

kost avatar Oct 26 '25 11:10 kost