Fastjson caucho-quercus Remote Code Execution Vulnerability

<div><div style="text-align:justify;"><strong>Introduction</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">Fastjson is a high performance and fully functional JSON library written in Java. It uses the algorithm of assumed ordered fast matching to put the performance of JSON Parse to the extreme, which is the fastest JSON library in the current Java language. Fastjson interface is easy to use and widely adopted in scenarios such as cache serialization, protocol interaction, web output, Android client.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Summary</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">Fastjson remote code execution is caused by using com.caucho.config.types.ResourceRef class and bypassing blacklist of Fastjson1.2.66 or earlier version. When the server is loaded with the resin dependency affected by the vulnerability, and Fastjson autotype is enabled, a remote attacker can trigger a remote code execution vulnerability through the constructed attack code, and finally can gain control of the server.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Analysis</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">Taking Fastjson1.2.66+resin-4.0.63.jar as a vulnerability environment, we pass the constructed payload and parse entry using the method in the JSON class.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">Then we perform format parsing in the DefaultJSONParser class and use special characters as identifiers for data extraction.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">After getting the class name passed by @type, we will check whether the class passed in by @type is in the blacklist through the checkAutoType method.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">The passed class will be hashed to generate a hash value.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">The value is compared with the hash in the blacklist set by Fastjson. If the match is successful, an exception is thrown directly and the program is exited.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">After passing the checkAutoType check, the local class library resource is obtained in the getClassLoader () method, and the class library where the target class is located is loaded from it.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">We continue to follow up the code, and assign a value to clazz by calling the TypeUtils.loadClass () method, and finally return clazz.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;">Then we enter the map.put () method, get the properties and methods in the incoming class through deserialization, and directly assign values to the properties through JavaBean.</div><div style="text-align:justify;"> </div>
  <span style="text-align: justify;"></span><div style="text-align:justify;">Finally, we call the Jndi.lookup () method in the getValue () method. The InitialContext is instantiated in the lookup () method, and we call the lookup () method for addressing as well as load the malicious file on the incoming link and execute the commands in the file on the server.</div><div style="text-align:justify;"></div><div style="text-align:justify;"> </div><div style="text-align:justify;">So far the exploit process is basically complete.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Reproduction</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">We build a Fastjson1.2.66 + resin-4.0.63.jar vulnerability environment, pass specially crafted json data, let target server load malicious files on remote host, thereby executing malicious code on target host. as shown in figure:</div><div style="text-align:justify;"> </div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Impacts</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">Affected Fastjson Versions:</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Fastjson earlier than 1.2.67</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Timeline</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">March 18, 2020 A blacklist class was added in the patch released by Fastxml Jackson-databind.</div><div style="text-align:justify;"> </div><div style="text-align:justify;">March 21, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Reference</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf01… style="text-align:justify;"> </div><div style="text-align:justify;">https://github.com/alibaba/fastjson</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><span style="color: #337fe5;"><strong>Solution</strong></span></div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong>Remediation Solution</strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">1. The latest version Fastjson 1.2.67 released by Alibaba has fixed this vulnerability. Please download it with the link: https://github.com/alibaba/fastjson</div><div style="text-align:justify;"> </div><div style="text-align:justify;">2. Disable autotype in Fastjason. If this function is not needed, delete the following code:</div><div style="text-align:justify;"> </div><div style="text-align:justify;">ParserConfig.getGlobalInstance().setAutoTypeSupport(true);</div><div style="text-align:justify;"> </div><div style="text-align:justify;"><strong><span style="color: #337fe5;">Sangfor Solution</span></strong></div><div style="text-align:justify;"> </div><div style="text-align:justify;">For Sangfor NGAF customers, keep NGAF security protection rules up to date.</div><div style="text-align:justify;"> </div><div style="text-align:justify;">Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.</div><div style="text-align:justify;"> </div><div style="text-align:justify;">Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.</div><div style="text-align:justify;"> </div><div style="text-align:justify;">Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.</div><div style="text-align:justify;"> </div></div>