This vulnerability was discovered by Dave McDaniel, Senior Research Engineer.

Summary

iPerf is a network testing application that is typically deployed in a client/server configuration and is used to measure the available network bandwidth between the systems by creating TCP and/or UDP connections. For each connection, iPerf reports maximum bandwidth, loss, and other performance related metrics. It is commonly used to evaluate and quantify the impact of network optimizations and for obtaining baseline metrics related to network performance.

iPerf3, developed by ESnet and Lawrence Berkeley National Laboratory, is a complete redesign of the original iPerf application and uses a forked cJSON library. Cisco Talos recently discovered that the forked version of the cJSON library contains a vulnerability that can lead to Remote Code Execution (RCE) on systems running the iPerf3 server daemon. This vulnerability is related to the way in which the forked cJSON library parses UTF-8/16 strings. There are currently several public iPerf3 servers that are accessible from the internet that may be susceptible to remote exploitation using this vulnerability. While the authors of the underlying cJSON library have since released a patch that resolves this vulnerability, the version of cJSON shipped with iPerf3 3.1-1 is vulnerable. The updated version of the iPerf3 application can be obtained here.

Details

When dealing with Unicode strings, the JSON specification calls for the the use of the ‘\u’ token, followed by four hexadecimal digits. The vulnerability in iPerf3 lies within the included cJSON library and is due to the way in which the parse_string() function handles memory allocation when dealing with UTF-8/16 strings. When a UTF-8/16 string is received, this function attempts to evaluate the string to determine proper heap allocation based upon the size of the input received.

When a UTF-8/16 string containing the ‘ “ ‘ character is encountered, the sscanf() function attempts to read the string. Due to the format requested, sscanf() will stop reading the string once it encounters the first ‘ “ ‘ however the buffer pointer is automatically incremented by four bytes regardless of the actual length of the string provided. This creates a logic error and causes the continued writing to the reserved block until the end of the loop is reached. By providing a long enough string, an attacker can create a heap overflow condition and cause an overwrite of the heap block headers. This could also potentially lead to remote code execution.

The object is later compared against a list of keys, which it does not match and is deleted, freeing the string. When attempting to delete the object, the corrupted chunk of memory is read then subsequently freed.

The application then attempts to consolidate backwards, encountering the previously corrupted heap block headers, which causes the application to crash.

Tested Versions

The following versions were tested by Talos:

iperf 3.1.1 2015-10-16

iperf3 3.1-1 2015-11-02

Conclusion

The official cJSON library was previously updated to resolve this vulnerability. Users of the cJSON library can obtain the latest version available from the official cJSON Github repository as it contains several fixes related to security vulnerabilities that have been discovered in cJSON. Users of the iPerf3 application should update to the latest version of iPerf3 as quickly as possible to resolve this vulnerability.

TALOS-2016-0164 is detected by SID 39165.

For full details regarding this vulnerability, please see the advisory here.