Description
Introduction to FasterXML Jackson
FasterXML Jackson is a data processing tool built for Java from an American company FasterXML. Jackson-databind is one of its components with data binding. The component can convert Java objects to json objects, as well as converting json to Java objects.
Vulnerability description
NVD released information about FasterXML Jackson-databind remote code execution vulnerability on March 2, 2020 with CVE number: CVE-2020-9548. The vulnerability is caused by JNDI injection, which leads to remote code execution. Jackson-databind version 2.0.0 - 2.9.10.3 lack the br.com.anteros.dbcp.AnterosDBCPConfig blacklist. Attackers can use flaws to bypass restrictions, perform JNDI injection, then execute arbitrary code on the infected host eventually.
Analysis
Taking Jackson-databind 2.10.1 + Anteros-DBCP-1.0.1 + metrics-healthchecks-3.0.2 as the vulnerability environment for analysis, Jackson-databind will perform internal initialization. After that, we will process the json data we passed in. The vulnerability mainly exists in the br.com.anteros.dbcp.AnterosDBCPConfig class in the Anteros-DBCP library Let's track the process of exploiting the vulnerability. When Jackson-databind receives a piece of json data, it will parse the Json data in the ReaderBasedJsonParser class and check the character one by one. As shown below:
i
We use double quotes to determine the start and end of the field name. The class obtained by parsing the json data will be instantiated in the call method, and the internal member variables will be initialized when the constructor is called.
We obtain the field names in the incoming json data, and assign values to internal attributes through deserialization.
We call methods in the class through reflection. When the getObjectOrPerformJndiLookup method in the br.com.anteros.dbcp.AnterosDBCPConfig class is executed , the victim host will access the malicious link passed by the attacker and load a malicious file, thereby triggering a remote code execution attack. It has been verified that both the metricRegistry and healthCheckRegistry attributes can be used to exploit the vulnerability.
Reproduction
We set up Jackson-databind 2.10.1 + Anteros-DBCP-1.0.1 + metrics-healthchecks-3.0.2 environment, pass in specially constructed json data, and let the target server load malicious files on the remote host to execute arbitrary code on the host. as shown in figure:
Impacts
Affected Versions:
Jackson-databind 2.0.0 - 2.9.10.3
Timeline
Mar 2, 2020 Sangfor FarSight Labs detected FasterXML Jackson-databind remote code execution vulnerability CVE-2020-9548.
Mar 4, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.
Solution
Remediation Solution
The official has fixed this vulnerability. Please visit the following link to download the latest version:
https://github.com/FasterXML/jackson-databind/releases
Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.
Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.
Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.
Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.