Impact
SOFARPC framework is facing the risk of Remote Command Execution(RCE) Vulnerbility. Through a carefully
craft payload, an attacker can achieve JNDI Injection or System Command Executation attack.
In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes
encountered during the deserialization process. However, the blacklist is not comprehensive, and we will
demonstrate that we can exploit certain native JDK classes and common third-party packages (e.g., fastjson,
jackson, etc., which are also introduced into the SOFARPC framework) to construct gadget chains capable of
achieving JNDI Injection or System Command Execution attacks.
Patches
Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.11.0 to avoid this issue.
Workarounds
SOFARPC also provides a way to add additional blacklist. Users can add -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat to avoid this issue.
Credits
Bofei Chen, Xinyou Huang, and Lei Zhang@secsys from Fudan.
Impact
SOFARPC framework is facing the risk of Remote Command Execution(RCE) Vulnerbility. Through a carefully
craft payload, an attacker can achieve JNDI Injection or System Command Executation attack.
In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes
encountered during the deserialization process. However, the blacklist is not comprehensive, and we will
demonstrate that we can exploit certain native JDK classes and common third-party packages (e.g., fastjson,
jackson, etc., which are also introduced into the SOFARPC framework) to construct gadget chains capable of
achieving JNDI Injection or System Command Execution attacks.
Patches
Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.11.0 to avoid this issue.
Workarounds
SOFARPC also provides a way to add additional blacklist. Users can add
-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormatto avoid this issue.Credits
Bofei Chen, Xinyou Huang, and Lei Zhang@secsys from Fudan.