Fastjson 1.2.24 Remote Code Execution Vulnerability Scanner

Fastjson is a popular Java library used for parsing and generating JSON data quickly and efficiently. It is widely used in various Java applications for its performance benefits and ease of use. Fastjson's ability to process JSON data quickly makes it an attractive choice for developers working on high-performance web services, applications requiring frequent data interchange, and systems integrating with third-party services using JSON. However, specific versions of Fastjson, like 1.2.24, are known to contain vulnerabilities that can compromise the security of applications using the library. This emphasizes the need for regular security assessments and updates in software dependencies.

The critical vulnerability in Fastjson 1.2.24 involves deserialization of untrusted data leading to remote code execution (RCE). This vulnerability allows attackers to execute arbitrary code remotely by crafting malicious JSON objects that exploit the library's deserialization process. The exploit occurs without requiring user interaction or authentication, making it particularly dangerous as it can lead to complete system compromise, data theft, or further network exploitation from a remote location. The severity of this vulnerability is highlighted by its CVSS score of 10, indicating the highest level of risk.

The vulnerability exploits Fastjson's handling of JSON objects that utilize the @type keyword to specify the class of an object to be deserialized. By supplying a malicious class name and data source, attackers can trigger the application to load and execute arbitrary code from a remote location specified by the attacker. This is typically achieved through crafted JSON payloads that reference external resources using protocols like RMI (Remote Method Invocation). The exploitation involves two main steps: crafting the malicious JSON payload and sending it to a vulnerable application endpoint, where Fastjson processes it, leading to code execution on the server.

The exploitation of this vulnerability can have severe consequences, including unauthorized access to system resources, disclosure of sensitive information, insertion of malware, data manipulation or destruction, and potential lateral movement within the network. Given the remote execution nature of this vulnerability, it poses a critical threat to affected systems, potentially leading to a full system compromise under the attacker's control. The impact is heightened due to the widespread use of Fastjson in Java applications, making it a lucrative target for attackers.

Security for Everyone offers a powerful platform to detect and mitigate vulnerabilities such as the Fastjson 1.2.24 RCE. By leveraging our sophisticated scanning tools, users can uncover hidden vulnerabilities within their digital assets, ensuring their systems are protected against known and emerging threats. Our platform provides detailed insights, actionable recommendations, and continuous monitoring, empowering users to strengthen their security posture effectively. Join us to gain the benefits of comprehensive vulnerability management, safeguard your assets, and maintain trust with your users.

References

• https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.24-rce
• https://www.freebuf.com/vuls/208339.html
• https://github.com/wyzxxz/fastjson_rce_tool