FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template.
Issue: Compilation of user supplied expressions into a .NET assembly.
While the dynamic data transformation into a compiled .NET code could be acceptable if the report template and the data from data source are trusted, the advertised Online Designer demonstrates that this assumption does not hold true.
Any user may run arbitrary remote code on the server by creating a new expression or editing an existing one into, for example
Side Note: The forward slash ‘/’ is used instead of the back slash ‘\’ because FastReports library fails to recognize a string literal if the last character is ‘\’.
After the user clicks
Preview the code is executed on the server.
Arbitrary code execution on the report template processing host.
The allowed expressions should be restricted to an acceptable subset. The compiled code should be run in a sandboxed process.
Coordinated Disclosure Timeline
- 24/08/2020: Report sent to Vendor
- 26/08/2020: Vendor acknowledges
- 28/08/2020: Vendor implements a filtering to remediate the issue
- 07/09/2020: Vendor publishes an announcement
- 29/10/2020: CVE-2020-27998 got assigned
- The fix - https://github.com/FastReports/FastReport/pull/206
- Vendor advisories:
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2020-143 in any communication regarding this issue.