GHSL-2024-296: Deserialization of untrusted data in Kykms

Coordinated Disclosure Timeline

• 2024-10-14: Report sent to maintainers
• 2024-10-25: Fixed in master branch by updating FastJSON to 1.2.83

Summary

Kykms is affected by a Deserialization of Untrusted Data vulnerability due to the usage of the outdated version of alibaba/fastjson library.

Project

mahonelau/-kykms

Tested Version

master branch as of October 8th 2024

Details

Deserialization of Untrusted Data (FastJSON) (GHSL-2024-296)

Kykms uses alibaba/fastjson v1.2.75 library for parsing user-supplied JSON messages from HTTP request parameters. This library is prone to deserialization of untrusted data vulnerability and has had multiple CVEs reported over the last few years.

For example, the following controller accepts messages in JSON format and uses alibaba/fastjson to parse them:

https://github.com/mahonelau/-kykms/blob/07a0b9a748d636c0b7c5133c5d22bb4c008ffbd1/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/message/controller/SysMessageTemplateController.java#L157C32-L157C67

@PostMapping(value = "/sendMsg")
public Result<SysMessageTemplate> sendMessage(@RequestBody MsgParams msgParams) {
	Result<SysMessageTemplate> result = new Result<SysMessageTemplate>();
	Map<String, String> map = null;
	try {
		map = (Map<String, String>) JSON.parse(msgParams.getTestData());

Note: there are also many other controllers affected by this issue, but the core problem is the same.

Link to the affected pom.xml: https://github.com/mahonelau/-kykms/blob/07a0b9a748d636c0b7c5133c5d22bb4c008ffbd1/jeecg-boot/pom.xml#L22

Impact

This issue may lead to Remote Code Execution in the worst case. To exploit this vulnerability, an attacker needs to identify a class that performs a sensitive operation in its setter, such as overwriting a file or execution an arbitrary code. A combination of different classes can also be used, known as a gadget chain. Although we cannot provide a specific gadget chain at the time of reporting, we still consider the risk as substantial, as Kykms imports many libraries with classes that can be abused.

References

• https://xz.aliyun.com/t/13409
• https://github.com/Al1ex/FastJsonAutoTypeBypass
• https://github.com/su18/hack-fastjson-1.2.80
• https://github.com/Y4er/fastjson-bypass-autotype-1.2.68
• https://github.com/jas502n/fastjson-1.2.58-rce
• https://github.com/alibaba/fastjson/wiki/security_update_20220523
• https://github.com/alibaba/fastjson/wiki/enable_autotype

Credit

This issue was discovered and reported by GHSL team member @artsploit (Michael Stepankin).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-296 in any communication regarding this issue.