Introduction

fastjson is a high performance and fully functional JSON library written in Java. It uses the algorithm of assumed ordered fast matching to put the performance of JSON Parse to the extreme, which is the fastest JSON library in the current Java language. fastjson interface is easy to use and widely adopted in scenarios such as cache serialization, protocol interaction, web output, Android client.

Summary

Fastjson AnterosDBCPConfig Remote Code Execution Vulnerability is caused by the usage of com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class and bypassing fastjson blacklist. When server loads Anteros-DBCP dependency affected by vulnerabilities and enables autotype of fastjson, remote attackers can exploit remote code execution vulnerability by crafted attack code, and obtain control permission of servers eventually.

Analysis

Taking fastjson1.2.62+ibatis-sqlmap-2.3.4.726.jar as a vulnerability environment, we pass in the constructed payload and parse entry using the method in the JSON class, as shown below:

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 1

Then we perform format parsing and special character detection in the JSONObject class. During the follow-up, when obtaining the class name passed by @type, we will check if the class is in the blacklist through the checkAutoType method. If the class name is in the blacklist, error will occur and the program will be terminated. As shown in the following figure:

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 2

After that, json format data in the payload will be matched with field names in the JSONScanner class. If the match is successful, the corresponding parameter will be passed by value to the corresponding attributes. The code is as follows:

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 3

Go to @type designated com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class, and assign value for utxName variable through setProperties class. At this time, utxName value is from UserTransaction parameter value from json data.

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 4

When we pass the malicious address to the UserTransaction parameter and access it through the lookup method, the server can load the malicious file remotely.

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 5

So far the exploit process is basically complete.

Reproduction

We build a fastjson1.2.66 + ibatis-sqlmap-2.3.4.726.jar vulnerability environment, pass specially crafted json data, let target server load malicious files on remote host, thereby executing malicious code on target host, as shown in Figure:

Fastjson JtaTransactionConfig Remote Code Execution Vulnerability 6

Impacts

Affected Versions:
 

fastjson 1.2.66 or earlier

Timeline

On Mar 3, 2020, Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Solution

Remediation Solution

1. Disable autotype in fastjason. If this function is not needed, delete the following code:

ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

Sangfor Solution

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Celebrating Leaders in CyberSHEcurity: Rowena O. Acuña

Date : 25 Mar 2024
Read Now
Cyber Security

Celebrating Leaders in CyberSHEcurity: Mel Migriño

Date : 11 Mar 2024
Read Now
Cyber Security

Celebrating Leaders in CyberSHEcurity: Col. Francel Margareth Padilla-Taborlupa

Date : 08 Mar 2024
Read Now

See Other Product

Best Darktrace Cyber Security Competitors and Alternatives in 2024
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X