neolead/iperf_cve

## iperf_cve

# Vulnerability Report: iperf v3.17.1 - Denial of Service (DoS)

## Overview
A vulnerability has been identified in the latest version of iperf (up to v3.17.1) that leads to a **Denial of Service (DoS)** condition. This flaw is associated with how iperf handles **JSON data**, which can result in a segmentation fault (SIGSEGV) due to access to an invalid memory segment. The vulnerability affects both Linux and Windows versions.

---

## Technical Analysis

### Root Cause
The core issue lies in the improper handling of JSON data sent to iperf. If a field expected to be a string is instead provided as an integer, it can cause incorrect parameter processing in the `iperf_exchange_parameters()` function. This error causes a `NULL` value to be passed to the `strdup()` function, resulting in a segmentation fault.

### Backtrace Analysis
The following backtrace from GDB reveals where the segmentation fault occurs:

```
#1  0x00007ffff7e44c1f in strdup () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff7fa2db6 in iperf_exchange_parameters () from /lib/x86_64-linux-gnu/libiperf.so.0
#3  0x00007ffff7faa097 in iperf_accept () from /lib/x86_64-linux-gnu/libiperf.so.0
#4  0x00007ffff7faa6b7 in iperf_run_server () from /lib/x86_64-linux-gnu/libiperf.so.0
```

### Vulnerable Source Code
The following snippet demonstrates the issue in the iperf source code:

```c
int iperf_exchange_parameters(struct iperf_test *test)
{
    char *param;
    cJSON *j;

    /* Extract JSON parameters */
    j = cJSON_Parse(test->json_parameters);
    if (j == NULL) {
        return -1;
    }

    /* Fetch a string field from JSON data */
    param = strdup(cJSON_GetObjectItem(j, "field")->valuestring);
    if (param == NULL) {
        fprintf(stderr, "Error: Received NULL string\n");
        return -1;
    }

    /* Continue processing */
    ...
}
```

### Explanation
1. The function `iperf_exchange_parameters()` attempts to parse JSON data using `cJSON_Parse()`.
2. It retrieves a field using `cJSON_GetObjectItem()` and passes it to the `strdup()` function.
3. If the field is not a string or is missing, `valuestring` is `NULL`, leading `strdup()` to attempt copying a `NULL` pointer.
4. This results in a segmentation fault, causing the Denial of Service (DoS).

### Impact
An attacker can trigger this vulnerability by sending malformed JSON data to the iperf server, causing it to crash.

---

## Exploitation and Proof of Concept
The vulnerability was discovered by security analyst **Leonid Krolle** using the **radamsa** fuzzing tool to generate malformed inputs.

### Linux Proof of Concept
### Windows Proof of Concept
![linpoc_gh](https://gist.github.com/user-attachments/assets/8b409dc5-6e1c-47df-96b8-8e2f15aede4b)
![winpoc_gh](https://gist.github.com/user-attachments/assets/d1f63643-da36-4f6a-acd5-a58b3fb98fcb)
---

## Mitigation Recommendations
- **Input Validation**: Validate JSON inputs before processing to ensure they match the expected format.
- **Error Handling**: Add checks to prevent `strdup()` from receiving `NULL` pointers.
- **Patch Update**: Users should monitor for patches from the iperf development team.

---

## Conclusion
This vulnerability in iperf (version 3.17.1) can be exploited to crash the server, resulting in a Denial of Service (DoS). Proper validation and patching are crucial to mitigate this issue.

	# Vulnerability Report: iperf v3.17.1 - Denial of Service (DoS)

	## Overview
	A vulnerability has been identified in the latest version of iperf (up to v3.17.1) that leads to a Denial of Service (DoS) condition. This flaw is associated with how iperf handles JSON data, which can result in a segmentation fault (SIGSEGV) due to access to an invalid memory segment. The vulnerability affects both Linux and Windows versions.

	---

	## Technical Analysis

	### Root Cause
	The core issue lies in the improper handling of JSON data sent to iperf. If a field expected to be a string is instead provided as an integer, it can cause incorrect parameter processing in the `iperf_exchange_parameters()` function. This error causes a `NULL` value to be passed to the `strdup()` function, resulting in a segmentation fault.

	### Backtrace Analysis
	The following backtrace from GDB reveals where the segmentation fault occurs:

	```
	#1 0x00007ffff7e44c1f in strdup () from /lib/x86_64-linux-gnu/libc.so.6
	#2 0x00007ffff7fa2db6 in iperf_exchange_parameters () from /lib/x86_64-linux-gnu/libiperf.so.0
	#3 0x00007ffff7faa097 in iperf_accept () from /lib/x86_64-linux-gnu/libiperf.so.0
	#4 0x00007ffff7faa6b7 in iperf_run_server () from /lib/x86_64-linux-gnu/libiperf.so.0
	```

	### Vulnerable Source Code
	The following snippet demonstrates the issue in the iperf source code:

	```c
	int iperf_exchange_parameters(struct iperf_test *test)
	{
	char *param;
	cJSON *j;

	/* Extract JSON parameters */
	j = cJSON_Parse(test->json_parameters);
	if (j == NULL) {
	return -1;
	}

	/* Fetch a string field from JSON data */
	param = strdup(cJSON_GetObjectItem(j, "field")->valuestring);
	if (param == NULL) {
	fprintf(stderr, "Error: Received NULL string\n");
	return -1;
	}

	/* Continue processing */
	...
	}
	```

	### Explanation
	1. The function `iperf_exchange_parameters()` attempts to parse JSON data using `cJSON_Parse()`.
	2. It retrieves a field using `cJSON_GetObjectItem()` and passes it to the `strdup()` function.
	3. If the field is not a string or is missing, `valuestring` is `NULL`, leading `strdup()` to attempt copying a `NULL` pointer.
	4. This results in a segmentation fault, causing the Denial of Service (DoS).

	### Impact
	An attacker can trigger this vulnerability by sending malformed JSON data to the iperf server, causing it to crash.

	---

	## Exploitation and Proof of Concept
	The vulnerability was discovered by security analyst Leonid Krolle using the radamsa fuzzing tool to generate malformed inputs.

	### Linux Proof of Concept
	### Windows Proof of Concept
	![linpoc_gh](https://gist.github.com/user-attachments/assets/8b409dc5-6e1c-47df-96b8-8e2f15aede4b)
	![winpoc_gh](https://gist.github.com/user-attachments/assets/d1f63643-da36-4f6a-acd5-a58b3fb98fcb)
	---

	## Mitigation Recommendations
	- Input Validation: Validate JSON inputs before processing to ensure they match the expected format.
	- Error Handling: Add checks to prevent `strdup()` from receiving `NULL` pointers.
	- Patch Update: Users should monitor for patches from the iperf development team.

	---

	## Conclusion
	This vulnerability in iperf (version 3.17.1) can be exploited to crash the server, resulting in a Denial of Service (DoS). Proper validation and patching are crucial to mitigate this issue.