Fastjson JtaTransactionConfig Remote Code Execution Vulnerability

06/03/2020 14:42:22

Description

Introduction
fastjson is a high performance and fully functional JSON library written in Java. It uses the algorithm of assumed ordered fast matching to put the performance of JSON Parse to the extreme, which is the fastest JSON library in the current Java language. fastjson interface is easy to use and widely adopted in scenarios such as cache serialization, protocol interaction, web output, Android client.

Summary
Fastjson AnterosDBCPConfig Remote Code Execution Vulnerability is caused by the usage of com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class and bypassing fastjson blacklist. When server loads Anteros-DBCP dependency affected by vulnerabilities and enables autotype of fastjson, remote attackers can exploit remote code execution vulnerability by crafted attack code, and obtain control permission of servers eventually.

Analysis
Taking fastjson1.2.62+ibatis-sqlmap-2.3.4.726.jar as a vulnerability environment, we pass in the constructed payload and parse entry using the method in the JSON class, as shown below:



Then we perform format parsing and special character detection in the JSONObject class. During the follow-up, when obtaining the class name passed by @type, we will check if the class is in the blacklist through the checkAutoType method. If the class name is in the blacklist, error will occur and the program will be terminated. As shown in the following figure:



After that, json format data in the payload will be matched with field names in the JSONScanner class. If the match is successful, the corresponding parameter will be passed by value to the corresponding attributes. The code is as follows:



Go to @type designated com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig class, and assign value for utxName variable through setProperties class. At this time, utxName value is from UserTransaction parameter value from json data.



When we pass the malicious address to the UserTransaction parameter and access it through the lookup method, the server can load the malicious file remotely.



So far the exploit process is basically complete.

Reproduction
We build a fastjson1.2.66 + ibatis-sqlmap-2.3.4.726.jar vulnerability environment, pass specially crafted json data, let target server load malicious files on remote host, thereby executing malicious code on target host, as shown in Figure:



Impacts
Affected Versions:
fastjson 1.2.66 or earlier

Timeline
On Mar 3, 2020, Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Solution

Remediation Solution
1. Disable autotype in fastjason. If this function is not needed, delete the following code:
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.