Jackson-Databind - A Story of Blacklisting Java Deserialization Gadgets
Jackson is a popular library for parsing JSON documents in Java. Jackson-Databind is a module of the Jackson library that allows automatic transformation from JSON to Java objects and vice versa. In June 2017, an unsafe deserialization vulnerability was discovered in the Jackson-Databind module (CVE-2017-7525) and was patched by creating a blacklist that doesn’t accept certein dangerous Java classes. The Jackson-Databind module developers created a function named checkIllegalTypes and the only class that was blacklisted was TemplatesImpl which is part of the com.sun.org.apache.xalan package. Figure 1: The checkIllegalTypes function as it was first written in the BeanDeserializerFactory.java file An hour passed, and the blacklist was updated to contain more dangerous classes. Figure 2: More dangerous classes were added to the blacklist. In December 2017 CVE-2017-17485 was allocated for this exact same vulnerability because it was found that the blacklist didn’t contain dangerous classes from the Spring framework. After a while another bypass on the blacklist is discovered, now being tracked as CVE-2017-15095. This is probably not the last change being made on this blacklist because new dangerous classes and gadget chains (Several classes that when combined may lead to Remote Code Execution) are discovered from time to time by security researchers. Mitigation with ASM The Jackson-Databind developers are in a rush after new dangerous Java classes that may lead to remote code execution once deserialized and we keep on updating ASM with those Java deserialization gadgets. As opposed to the Jackson-Databind developers we have additional mitigation layers to rely on, such as Java Server Side Code Injection signatures that detects operating system command execution attempts, for examplebyusing Java's Runtime and ProcessBuilder classes (Signature ids 200003437,200003438,200003439, 200004174) and specific operating system command execution signatures. Today, a new ASM security update was released to cover additional Java deserialization gadgets discovered recently: org.apache.tomcat.dbcp.dbcp2.BasicDataSource com.sun.org.apache.bcel.internal.util.ClassLoader org.hibernate.jmx.StatisticsService org.apache.ibatis.datasource.jndi.JndiDataSourceFactory org.springframework.context.support.FileSystemXmlApplicationContextJackson-Databind Unsafe Unserialization Remote Code Execution (CVE-2017-7525, CVE-2017-15095)
Recently a new vulnerability in Jackson, a popular Java library used for parsing JSON, was published and assignedCVE-2017-7525and later extended with CVE-2017-15095. The Jackson-databind package allows programmers to construct Java objects out of JSON documents, and as we have seen in other cases when unserializing untrusted user input and constructing an object out of it may lead to serious consequences like remote code execution. The Jackson-databind package developers mitigated the vulnerability by creating and maintaining a blacklist of class names that may allow attackers to achieve remote code execution. For every JSON being unserialized by Jackson-databind the constructed object class name is being checked against this list. Figure 1:Blacklisted classes as seen in the Jackson-databind source code. Figure 2:Each JSON that is being unserialized is checked against the blacklisted classes. The Jackson liberary is also being used in the Apache Struts 2 framework and therefore a security bulletin regarding this vulnerability was published (S2-055). Mitigating the vulnerability with BIG-IP ASM ASM users are encouraged to add the following user defined attack signatures to detect exploitation attempts for this vulnerability: content:"JndiRefForwardingDataSource"; nocase; re2:"/com\W*?[\.\/]\W*?mchange\W*?[\.\/]\W*?v2\W*?[\.\/]\W*?c3p0\W*?[\.\/]\W*?JndiRefForwardingDataSource/i"; content:"WrapperConnectionPoolDataSource"; nocase; re2:"/com\W*?[\.\/]\W*?mchange\W*?[\.\/]\W*?v2\W*?[\.\/]\W*?c3p0\W*?[\.\/]\W*?WrapperConnectionPoolDataSource/i content:"InvokerTransformer"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?commons\W*?[\.\/]\W*?collections4?\W*?[\.\/]\W*?functors\W*?[\.\/]\W*?InvokerTransformer/i"; content:"AbstractBeanFactoryPointcutAdvisor"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?aop\W*?[\.\/]\W*?support\W*?[\.\/]\W*?AbstractBeanFactoryPointcutAdvisor/i"; content:"InstantiateTransformer"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?commons\W*?[\.\/]\W*?collections4?\W*?[\.\/]\W*?functors\W*?[\.\/]\W*?InstantiateTransformer/i"; content:"ConvertedClosure"; nocase; re2:"/org[\.\/]codehaus[\.\/]groovy[\.\/]runtime[\.\/]ConvertedClosure/i"; content:"MethodClosure"; nocase; re2:"/org\W*?[\.\/]\W*?codehaus\W*?[\.\/]\W*?groovy\W*?[\.\/]\W*?runtime\W*?[\.\/]\W*?MethodClosure/i"; content:"ObjectFactory"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?beans\W*?[\.\/]\W*?factory\W*?[\.\/]\W*?ObjectFactory/i"; content:"TemplatesImpl"; nocase; re2:"/com\W*?[\.\/]\W*?sun\W*?[\.\/]\W*?org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?xalan\W*?[\.\/]\W*?internal\W*?[\.\/]\W*?xsltc\W*?[\.\/]\W*?trax\W*?[\.\/]\W*?TemplatesImpl/i"; content:"TemplatesImpl"; nocase; re2:"/org\W*?[\.\/]\W*?apache\W*?[\.\/]\W*?xalan\W*?[\.\/]\W*?xsltc\W*?[\.\/]\W*?trax\W*?[\.\/]\W*?TemplatesImpl/i"; content:"JdbcRowSetImpl"; nocase; re2:"/com\W*?[\.\/]\W*?sun\W*?[\.\/]\W*?rowset\W*?[\.\/]\W*?JdbcRowSetImpl/i"; content:"FileHandler"; nocase; re2:"/java\W*?[\.\/]\W*?util\W*?[\.\/]\W*?logging\W*?[\.\/]\W*?FileHandler/i"; content:"UnicastRemoteObject"; nocase; re2:"/java\W*?[\.\/]\W*?rmi\W*?[\.\/]\W*?server\W*?[\.\/]\W*?UnicastRemoteObject/i"; content:"PropertyPathFactoryBean"; nocase; re2:"/org\W*?[\.\/]\W*?springframework\W*?[\.\/]\W*?beans\W*?[\.\/]\W*?factory\W*?[\.\/]\W*?config.PropertyPathFactoryBean/i"; These signatures are due to be included in the next ASU, being released early January.
