Fastjson caucho-quercus Remote Code Execution Vulnerability

03/04/2020 09:00:49

Fastjson is a high performance and fully functional JSON library written in Java. It uses the algorithm of assumed ordered fast matching to put the performance of JSON Parse to the extreme, which is the fastest JSON library in the current Java language. Fastjson interface is easy to use and widely adopted in scenarios such as cache serialization, protocol interaction, web output, Android client.


Fastjson remote code execution is caused by using com.caucho.config.types.ResourceRef class and bypassing blacklist of Fastjson1.2.66 or earlier version. When the server is loaded with the resin dependency affected by the vulnerability, and Fastjson autotype is enabled, a remote attacker can trigger a remote code execution vulnerability through the constructed attack code, and finally can gain control of the server.


Taking Fastjson1.2.66+resin-4.0.63.jar as a vulnerability environment, we pass the constructed payload and parse entry using the method in the JSON class.

Then we perform format parsing in the DefaultJSONParser class and use special characters as identifiers for data extraction.

After getting the class name passed by @type, we will check whether the class passed in by @type is in the blacklist through the checkAutoType method.

The passed class will be hashed to generate a hash value.

The value is compared with the hash in the blacklist set by Fastjson. If the match is successful, an exception is thrown directly and the program is exited.

After passing the checkAutoType check, the local class library resource is obtained in the getClassLoader () method, and the class library where the target class is located is loaded from it.

We continue to follow up the code, and assign a value to clazz by calling the TypeUtils.loadClass () method, and finally return clazz.

Then we enter the map.put () method, get the properties and methods in the incoming class through deserialization, and directly assign values to the properties through JavaBean.

Finally, we call the Jndi.lookup () method in the getValue () method. The InitialContext is instantiated in the lookup () method, and we call the lookup () method for addressing as well as load the malicious file on the incoming link and execute the commands in the file on the server.

So far the exploit process is basically complete.


We build a Fastjson1.2.66 + resin-4.0.63.jar vulnerability environment, pass specially crafted json data, let target server load malicious files on remote host, thereby executing malicious code on target host. as shown in figure:


Affected Fastjson Versions:

Fastjson earlier than 1.2.67


March 18, 2020 A blacklist class was added in the patch released by Fastxml Jackson-databind.

March 21, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.



Remediation Solution

1. The latest version Fastjson 1.2.67 released by Alibaba has fixed this vulnerability. Please download it with the link:

2. Disable autotype in Fastjason. If this function is not needed, delete the following code:


Sangfor Solution

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center: