fastjson remote code execution vulnerability technical analysis and protection solution-vulnerability warning-the black bar safety net

ID MYHACK58:62201784827
Type myhack58
Reporter 佚名
Modified 2017-03-31T00:00:00


! 2017-year 3 December 15, fastjson official released a security Bulletin indicating fastjson in 1. 2. 24 and the prior version there is a remote code execution high-risk security vulnerabilities. An attacker can use this vulnerability to remotely execute malicious code to invade the server. fastjson official recommendations directly to upgrade to 1. 2. 28/1. 2. 29 or an updated version to ensure system security. Related links are as follows: Article directory

What is fastjson The affected version Not the affected version Vulnerability analysis The official solution Technology protection program Product class Service class Summary Statement About nsfocus What is fastjson fastjson is a used Java language to write high-performance fully functional JSON library. Due to its unique algorithm, fastjson of the parse speed is extremely fast, beyond all the json libraries, including once known as the fastest of the jackson and Google's binary Protocol protocol buf. fastjson or official included a reference to achieve one of the fully supported http://json. org standards. In addition, the fastjson also supports a variety of JDK types, including JavaBean, Map,Enum,generics, etc., and does not require additional jar that can be ran directly in the JDK. Fastjson support JDK 5, JDK 6, Android,Ali Cloud Mobile phone, etc. environment. The affected version fastjson Not the affected version fastjson > 1.2.24 Note: the official version is greater than 1. 2. 24 but less than 1. 2. 28 version although for fastjson transition version, but is not affected by this vulnerability, and therefore do not have to upgrade. Vulnerability analysis Through the new and old versions of the code comparison, the discovery of this vulnerability appear in the com\alibaba\fastjson\parser\DefaultJSONParser. java files in DefaultJSONParser::parseObject function, as shown below: ! From the figure it can be seen in 1. 2. 24 that is the affected version, version of the code, load the class name, with a TypeUtils::loadClass method, this method in com\alibaba\fastjson\util\TypeUtils. java in the specific content is as follows: ! By the code analysis found that the method without the need to load the class limit, but directly to the load thereby to result in unauthorized code execution. JSON. DEFAULT_TYPE_KEY defined as follows: ! The attacker constructs the attack code in the mode of the post there will be in the following format of the fragment:

1234567891011 {... "@type":"classname" ...} {... "@type":"[clastname1,classname2,...]" ...} {... "@type":"Lclastname;" ...} {...'@type':"classname" ...} {... '@type':"[clastname1,classname2,...]" ...} {... '@type':"Lclastname;" ...}

The Red part is you can manually enter the name of the class, where you can add the location of the malicious non-authorized code. And in 1. 2. 25 Non-Affected version, version of the code, The use of the config. checkAutoType load the associated class, 代码位于com\alibaba\fastjson\parser\, the method of ParserConfig::checkAutoType, the specific content is as follows: ! From this method, as can be seen, regardless of whether the user opens the autoTypeSupport function, the class name to be loaded when they are required by an additional layer of screening to determine whether in the acceptlist, only to meet this limit, the class name will be loaded, otherwise the software will directly throw an exception and will not be executed. Defined in the system prohibit the loading of class names to the following at the beginning:

12345678910111213141516171819202122 bshcom. mchangecom. sun. java. lang. Threadjava. net. Socketjava. rmijavax. xmlorg. apache. bcelorg. apache. commons. beanutilsorg. apache. commons. collections. Transformerorg. apache. commons. collections. functorsorg. apache. commons. collections4. comparatorsorg. apache. commons. fileuploadorg. apache. myfaces. context. servletorg. apache. tomcatorg. apache. wicket. utilorg. codehaus. groovy. runtimeorg. hibernateorg. jbossorg. mozilla. javascriptorg. python. coreorg. springframework

The official solution Ali official repair recommendations are as follows: The use of Ali the official WAF detection You can use the following command to detect the post content contains the characters:

1 "@type"

Note: add a double quotes can reduce the false positives. Command-line detects the current using version whether there is a problem:

1 sudo-u admin lsof-X | grep fastjson | grep jar | grep-v sec01 | grep-v 1.2.24 | grep-v 1.2.25 | grep-v 1.2.25 | grep-v 1.2.26 |grep-v 1.2.27

Direct Download is not affected by the new version Ali official has issued a public notice, recommended that affected users immediately upgrade to 1. 2. 28/1. 2. 29 or higher version, download address: Note: nsfocus security team recommends that users upgrade to the 1. 2. 29 version. The upgrade steps are as follows: First backup the original fastjson rely on the library, the upgrade fails at any time after the restore, not the business impact. And then the low version of the fastjson library to replace 2. 29 version, as shown below: !

[1] [2] next