Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how to analyze Fastjson JtaTransactionConfig remote code execution vulnerabilities. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Introduction of fastjson components

Fastjson is a high-performance and functional JSON library written in Java language. It uses a "assumed ordered fast matching" algorithm to improve the performance of JSON Parse to the extreme, and it is the fastest JSON library in Java language at present. Fastjson interface is easy to use and has been widely used in many application scenarios, such as cache serialization, protocol interaction, Web output, Android client and so on.

Vulnerability description

The fastjson remote code execution vulnerability is caused by using the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class to bypass the blacklist of fastjson. When the server loads the ibatis-sqlmap dependency affected by the vulnerability and turns on the autotype of fastjson, the remote attacker can trigger the remote code execution vulnerability through the constructed attack code, and finally gain control of the server.

Loophole analysis

Fastjson1.2.62 + ibatis-sqlmap-2.3.4.726 is used as vulnerability environment analysis. Input the constructed payload through the parsing entry of the parse method in the JSON class, as shown below:

Format parsing and special character detection in the JSONObject class. Continue to follow up the process. When the class name passed in @ type is obtained, the checkAutoType method will be used to check whether the class passed in @ type is in the blacklist. If such a name exists in the blacklist, an exception will be thrown to exit the program. As shown below:

To follow up, the json format data in payload will match the field names in the JSONScanner class. If the field names match successfully, pass the corresponding parameter values and assign values to the corresponding attributes, as shown in the following code:

Enter the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class specified by @ type and assign a value to the utxName variable through the setProperties class. At this point, the value of utxName is the UserTransaction parameter value passed in from the json data.

When we pass a malicious address in the UserTransaction parameter and access it through the lookup method, the server can load malicious files remotely.

At this point, the vulnerability exploitation process is basically completed.

Loophole recurrence

Build a fastjson1.2.66 + ibatis-sqlmap-2.3.4.726 vulnerability environment, pass in carefully constructed json data, and let the target server load malicious files on the remote host, thus executing arbitrary code on the target host. The effect is as shown in the figure:

Scope of influence

Currently affected fastjson versions:

Fastjson

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.