2006-08-23.04:37:00.this_looks_bad_for_JSON

So I've been doing a lot of fuzzing of various serializers so that I have some good examples for my talk at YAPC::EU. One of the things I was looking for was a good way of reliably causing various JSON parsers to crap out, so I could get the MVC framework (Catalyst) to give up a -Debug dump. I got a little bit more than I expected: 

#!/usr/bin/perl -w
use JSON::Syck;

my $h = 1000000;
my $x = '1.'. 7 x $h .'1E-10';
my $yml = '[{"a" : '.$x.'}]';

my $da = JSON::Syck::Load($yml);
my $js = JSON::Syck::Dump($da);
print "$js\n";

When run gives the following: 

-bash-2.05b$ perl ./yamlbroke8.pl
Segmentation fault: 11 (core dumped)

No idea if this is exploitable or not, but I guess I'm going to be trying to find out. It's worth noting that libsyck upon which JSON::Syck is based is part of the Ruby core for their YAML processing, and probably used heavily for web service bits with Ruby on Rails (not to mention Perl, PHP, etc). I still need to do a bunch more work to make sure this isn't OS specific, perl specific or version specific, but it certainly looks initially promising.

Also fun - it looks like libsyck doesn't like null byte insertion very much, so it may be possible to work this into an attack scenario. As well, feeding it the string "{{}}" as a hash key will cause JSON::Syck to cough out a HASH(memoryloc) when it is deserialized (it doesn't fail like it should). Likewise it will erroneously accept 'null', 'false', or 'true' as a hash key. With enough iterations of '{{}}' or '[[]]' the parser can be caused to barf with a parser stack overflow error.

YAML.pm itself can be caused to hang what looks like indefinitely with various bad constructs (try a single * on a line), and dies on lots of otherwise valid looking data. JSON.pm seems to have trouble with the 'null', 'false', and 'true' values, and handles null bytes completely differently.

None of this would be that big of a deal if there was a good way of validating all of this stuff... Probably I'll start hitting some of the XML stuff I noticed acting erraticly and see if I can get some of those parsers to barf in similar ways. Also, I need to cast about for a suitable real world victim for some of this stuff.