FasterXML Jackson-databind Remote Code Execution CVE-2020-9547

Description

Introduction
FasterXML Jackson is a data processing tool built for Java from an American company FasterXML. Jackson-databind is one of its components with data binding. The component can convert Java objects to json objects, as well as converting json to Java objects.

Summary
NVD released information about FasterXML Jackson-databind remote code execution vulnerability on March 2, 2020 with CVE number: CVE-2020-9547. The vulnerability is caused by JNDI injection, which leads to remote code execution. Jackson-databind version 2.0.0 - 2.9.10.3 lack the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig blacklist. Attackers can exploit this vulnerability to bypass restrictions, perform JNDI injection, then execute arbitrary code on the infected host eventually.

Analysis
Taking Jackson-databind 2.10.1+ ibatis-sqlmap-2.3.4.726 as the vulnerability environment for analysis, Jackson-databind will perform internal initialization. Afterwards, the incoming json data will be processed. The vulnerability mainly exists in the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class in the ibatis-sqlmap library . Let us track the process of exploiting the vulnerability. After Jackson-databind receives a piece of json data, it will parse the data in the ReaderBasedJsonParser class and the characters bit by bit. The details are as shown below:

 
We use double quotes to determine the start and end of the field name. The class obtained by parsing the json data will be instantiated in the call method.

 
We obtain the field names in the incoming json data, and assign values to internal attributes through deserialization.

 
Then we call methods in the class through reflection.

 
When the lookup method in the com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
class is executed, the victim host will access the malicious link passed by the attacker and load a malicious file, thereby triggering a remote code execution attack. As shown

 
Reproduction
We set up Jackson-databind 2.10.1+ ibatis-sqlmap-2.3.4.726 environment, pass in specially crafted json data, and let the target server load malicious files on the remote host, thereby executing arbitrary code on the target host. as shown in figure:

 
Impacts
Affected versions:
Jackson-databind 2.0.0 - 2.9.10.3

Timeline
March 2, 2020 Sangfor security team detected FasterXML Jackson-databind remote code execution vulnerability CVE-2020-9547.

March 4, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Solution

Remediation Solution
The official has fixed this vulnerability. Please visit the following link to download the latest version:

https://github.com/FasterXML/jackson-databind/releases

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.