First, the problem background
fastjson Alibaba open source JSON parsing library that can parse JSON-formatted string, will support Java Bean is serialized to JSON string or strings from the JavaBean to deserialize JSON, due to their high efficiency characteristics, wide range of applications
June 22, 2019, Ali and so shield Emergency Response Center to monitor the presence of FastJSON 0day vulnerability, an attacker could exploit this vulnerability to bypass blacklist policy for remote code execution
0day vulnerability on fastjson javaweb framework of intelligence, because the object is instantiated when fastjson making no strict limits on the input data, as long as the attacker carefully constructed json data can result in remote code execution, as of press date, about the use of the vulnerability yet public way, please associated user in a timely manner for protection.
June 22, 2019, Ali and so shield Emergency Response Center to monitor the presence of FastJSON 0day vulnerability, an attacker could exploit this vulnerability to bypass blacklist policy for remote code execution.
1.1, vulnerability name
FastJSON remote code execution vulnerability 0day
1.2 Vulnerability Description
1.3, affected area
- FastJSON 1.2.30 and below
- FastJSON 1.2.41 to version 1.2.45
1.4, the official solution
FastJSON upgrade to the latest version, it is recommended to upgrade to version 1.2.58.
Upgrade
<dependency>
<groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.2.58</version> </dependency>1.5 Protection recommended
(1) Web Application Firewall
Web Application Firewall Web attack protection rules has a default configuration corresponding rules of protection of the FastJSON 0day vulnerability, enable Web application firewall Web application attack protection feature.
以上参考:https://helpcdn.aliyun.com/document_detail/123431.html
(2)WAF自定义防护规则
FastJson是阿里的一个开源Json解析库,可以将数据在JSON和Java Object之间互相转换,此前曾被爆出存在反序列化漏洞。为预防FastJson库存在0day漏洞,现提供两条自定义规则,可根据情况选择一个添加。也可以同时添加两个,如果有误报,再取消。此自定义规则主要针对存在JAVA系统并使用了该库的客户。
自定义规则--精准防护
检测对象>request_body
匹配操作>正则包含
检测值>['"]\s*@type\s*['"].*?(com\.(sun|mchange)|org\.(apache|codehaus|hibernate|jboss|mozilla|python)|java\.(lang\.Thread|net\.Socket|rmi)|javax\.xml|bsh)
自定义规则--暴力防护
检测对象>request_body
匹配操作>正则包含
检测值>['"]\s*@type\s*['"]
防护验证截图
TAM关于fastjson javaweb框架0day漏洞回溯和实时检测
ssh后台执行(后台执行速度相对比较快,推荐此方式)
- 确定Spark组件位置:点击BSA首页右上角齿轮,选择集群管理,进入组件,点击查看Spark组件,如下图:
记录下主机名称,例如bsa12 -
ssh登陆BSA后台,执行如下命令(将SparkSqlServer主机地址替换至绿色背景,然后复制该命令并且回车):
先切换bsauser账号 su – bsauser
然后执行./spark-1.3.0-bin-hadoop2.4/bin/beeline -u jdbc:hive2://bsa12:10000 --verbose=true --showHeader=true --outputformat=tsv2 --color=true -e "select sip, dip, from_unixtime(timestamp) as timestamp, ret_code, host, uri, post_data from internal_app_bsatam2.tam_httplog where ns_date>=20190610 and (post_data rlike '@type' or uri rlike '@type');" > fastjson_export.csv
等待上述任务执行完成之后,如果当前目录下有fastjson _export.csv文件且文件中有内容时,说明20190610至今的历史流量中出现过fastjson漏洞攻击。
tam界面执行自定义查询(当无法ssh后台时,可在TAM的界面上操作。相比后台执行稍慢,不推荐)
- 进入挖掘检索—自定义查询—新建查询
-
将上述下列SQL粘贴至下图所示位置:
select sip, dip, from_unixtime(timestamp) as timestamp, ret_code, host, uri, post_data from internal_app_bsatam2.tam_httplog where ns_date>=20190610 and (post_data rlike '@type' or uri rlike '@type')
- 点击校验。耐心等待校验成功后继续点击新建。完成后点击之后,点击下图所示位置开始执行:
实时监控
Tam自定义场景监控可用于实时监测,当UTS上没有配置该规则时,使用TAM的自定义场景的检测功能:
- 进入场景管理—场景配置—自定义场景。选择规则, “fastjson远程代码执行漏洞利用检测”配置如下
-
将下列SQL粘贴至规则输入
select sip, dip, timestamp as start_time, timestamp as end_time, ret_code as info3, concat(host, uri) as infos, post_data as info2, timestamp as end_time from internal_app_bsatam2.tam_httplog where post_data rlike '@type' or uri rlike '@type')
问题补充:
该缺陷是因旧缺陷修复方案引起,原因如下:
在fastjson 1.2.24版本之前(包括1.2.24版本),fastjson 在使用JSON.parseObject方法时,由于使用泛型(Object.class)反序列化的场景时,存在恶意构造序列化内容造成执行服务器命令。即在远程服务器场景,如果使用fastjson做为远程报文内容反序列化,且泛型使用,则存在期可能。
在1.2.24版本之后该缺陷已修复,修复方案采用默认关闭autoType,即自动泛型反序列化,且如果打开autoType,也加入了黑名单,对存在易被利用攻击的类进行了黑名单处理。这次漏洞风险内容为:打开了autoType的情况下,可以通过0day漏洞绕过黑名单。绕过的方式,暂时不详。