Struts2 It is known as the king of loopholes in the industry ,Fastjson Not to be outdone recently , A lot of loopholes have been exposed in succession , I'm so scared that old programmers like me don't dare to use it ! Fighting for strength ,F
astjson not pass on to others what one is called upon to do !

0x00 Vulnerability background

2019 year 9 month 5 day ,fastjson stay commit
995845170527221ca0293cf290e33a7d6cb52bf7 Was submitted to fix when the string contains \x May be raised when escaping a character OOM Fix the problem of .

360CERT Judge whether the vulnerability is in danger . The influence area is large . An attacker can cause the current thread to crash by sending a constructed request , When too many malicious requests are sent, the business may be paralyzed directly .

It is suggested that the majority of users should pay attention to their own business / Self inspection of product components , confirm fastjson Version upgrade to at least 1.2.60

0x01 Vulnerability details

The key point of vulnerability lies in in , When the json String ,fastjson Get by bit json character string , When the string is recognized as \x At the beginning of , The last two characters are retrieved by default , And the last two characters are compared with \x Concatenation converts it into a complete hexadecimal character :

And when json The string is based on \x At the end , because fastjson It was not verified , Will cause it to continue trying to get the last two characters . That is to say, it will be obtained directly \u001A that is EOF:

When fastjson When parsing backward again , It will be repeatedly obtained EOF, And write it to memory , Until it triggers oom error :

The final effect is :

0x02 Impact version

fastjson < 1.2.60 edition

0x03 Repair suggestions

1.1.15~1.1.31 Version updated to 1.1.31.sec07 edition

1.1.32~1.1.33 Version updated to 1.1.33.sec06 edition

1.1.34 Version updated to 1.1.34.sec06 edition

1.1.35~1.1.46 Version updated to 1.1.46.sec06 edition

1.2.3~1.2.7 Version updated to 1.2.7.sec06 Version or 1.2.8.sec04 edition

1.2.8 Version updated to 1.2.8.sec06 edition

1.2.9~1.2.29 Version updated to 1.2.29.sec06 edition

0x04 Timeline

2019-09-03 fastjson Submit patch commit

2019-09-05 360CERT Issue early warning

2019-09-07  Weekend overtime upgrade !

PS:jackson Several versions have been recently released to fix vulnerabilities .

©2019-2020 Toolsou All rights reserved,
Final review of database : Summary of comprehensive application questions Laplance operator ( Second derivative ) Simple learning of computer composition principle pyqt Button call python program _PyQt: Link button to function in program How much can you go up once you change jobs ? Today, I saw the ceiling of job hopping python in str Function usage _python in str Usage Summary of built-in functions MySQL trigger web The server nginx---linux Installation and deployment C++ Chapter V polymorphism exercises :( It's coming to an end )python Check built-in functions , How to check python Built in function