Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve Fastjson less than 1.2.68 version deserialization vulnerability analysis, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Preface

Belated Fastjson deserialization vulnerability analysis, according to international practice, there is still no poc this time. The truth is the same, but it can be used in a variety of ways. In addition to the previously released ways to read and write files, it can also be used in SSRF.

I. Overview of loopholes

In other major articles, we can see that the way to use it is to write the specified content to the specified file by emptying the specified file (using third-party libraries). When gadget is a subclass of the first inherited class, the condition for attacking fastjson is met. The need gadget satisfaction found at this time can use the expected class to bypass checkAutoType.

The following analysis of a use of deserialization to point to fastjson built-in classes for attack utilization, can achieve file reading, SSRF attacks and so on.

Second, debugging and analysis 1. Vulnerability debugging

You can see from the updated patch that three new methods have been added to the expectClass class:

Java.lang.Runnable 、 java.lang.Readable 、 java.lang.AutoCloseable

First, the parseObject method processes the incoming data. Get the type name through lexical parsing, and start checkAutoType checking if it is not a number.

When the incoming data is not a number, the default setting expects the class to be empty and enter the checkAutoType to check the incoming class.

Judge the expectation class, and the expectation class for this period is null. In the code that goes down, autoCloseable is not in the whitelist, not in the blacklist, autoTypeSupport is not enabled, and expectClassFlag is false.

Where:

a. Calculate the hash value for internal whitelist verification

b. Calculate the hash value for blacklist verification

c. If the whitelist is not internal and autoTypeSupport or desired class is enabled, check whitelist acceptHashCodes and blacklist denyHashCodes by hash. Load (defaultClassLoader) if you are in acceptHashCodes, and throw autoType is not support in the blacklist.

Condition C is later assigned to clazz, and various judgments are made on clazz in the parsed code.

Take the autoCloseable from the plaintext cache and assign it to clazz.

When clazz is not empty, expectClassFlag is empty and does not meet the condition. Return clazz. At this point, the first checkAutoType check is completed.

Deserialize the checked autoCloseable, which uses the JavaBeanDeserializer deserializer and inherits from MapDeserializer.

JSON.DEFAULT_TYPE_KEY is @ type, and assign it the incoming key @ type, passing in the second class, this time's gadget.

The expectation class has changed here, and the value of expectClass has changed to java.lang.AutoCloseable,typeName to gadget

Go to the JSONType comment, take the typename gadget transformation into the path, and resource pass the "." Replace with "/" to get the path. In fact, you have already started to read gadget, which is supposed to load AutoCloseable.

You can see that there is a function to read files here.

The isAssignableFrom () method is used to determine whether the class in it is an inherited class. When the java.lang.AutoCloseable method is used to attack fastjson, then the subsequent deserialization link must inherit from the subclass of that class.

TypeUtils.addMapping (typeName, clazz) successfully adds gadget to the cache and returns the clazz of the assigned gadget.

When the checkAutoType is officially checked, deserialize it with deserializer = parser.getConfig () .getDeserializer (userType); userType both gadget.

Enter coreConnect ()

Connect here. Find the gadget in the common jar package that is appropriate and available. After being deserialized, gadget can perform malicious functions in the class (not only RCE but also arbitrary file read / create, SSRF, etc.). It can also maximize the use of this vulnerability.

At this point, the exploitation of the vulnerability is over.

The above is how to achieve Fastjson version less than 1.2.68 deserialization vulnerability analysis, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.