Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about Fastjson remote code execution vulnerabilities, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

0x00 vulnerability background

On May 28, 2020, 360CERT monitoring found that security vendors in the industry issued a risk notice for Fastjson remote code execution vulnerabilities, vulnerability level: high risk.

Fastjson is Alibaba's open source JSON parsing library, which can parse strings in JSON format, support serialization of JavaBean into JSON strings, and deserialize from JSON strings to JavaBean.

There is a remote code execution vulnerability in Fastjson, the limitation of autotype switch can be bypassed, chain deserialization attackers carefully construct deserialization utilization chain, and finally achieve the consequence of remote command execution. This vulnerability itself cannot bypass the blacklist limit of Fastjson, and needs to cooperate with a deserialization exploitation chain that is not in the blacklist to complete a complete exploit.

As of the release of the vulnerability notice, the official version 1.2.69 has not yet been released. 360CERT recommends that the majority of users pay attention to the official update notice in time, do a good job of asset self-examination, and carry out security reinforcement according to temporary repair recommendations to avoid hackers.

0x01 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment method level threat level [high risk] impact surface [extensive] 0x02 impact version

Fastjson:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.