Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.
Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." It was patched by the project maintainers in

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular **Fastjson library** that could be potentially exploited to achieve remote code execution.

Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." It was patched by the project maintainers in version 1.2.83 released on May 23, 2022.

"This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize," JFrog's Uriya Yavnieli said in a write-up.

Fastjson is a Java library that's used to convert Java Objects into their JSON representation and vice versa. AutoType, the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing a JSON input that can then be deserialized into an object of the appropriate class.

"However, if the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to a deserialization security issue, since the attacker can instantiate any class that's available on the Classpath, and feed its constructor with arbitrary arguments," Yavnieli explained.

While the project owners previously introduced a safeMode that disables AutoType and started maintaining a blocklist of classes to defend against deserialization flaws, the newly discovered flaw gets around the latter of these restrictions to result in remote code execution.

Users of Fastjson are recommended to update to version 1.2.83 or enable safeMode, which turns off the function regardless of the allowlist and blocklist used, effectively closing variants of the deserialization attack.

"Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly — target-specific research is required to find a suitable gadget class to exploit," Yavnieli said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CVE-2022-31626: mysqlnd/pdo password buffer overflow leading to RCE

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

Sec Bug #81720

Uninitialized array in pg\_query\_params() leading to RCE

Submitted:

2022-05-16 14:50 UTC

Modified:

2022-06-06 07:13 UTC

From:

c dot fol at ambionics dot io

Assigned:

stas (profile)

Status:

Closed

Package:

PostgreSQL related

PHP Version:

8.1.6

OS:

Private report:

No

CVE-ID:

2022-31625

 **\[2022-05-16 14:50 UTC\] c dot fol at ambionics dot io**

Description:
------------
Hello PHP team,

in PHP\_FUNCTION(pg\_query\_params), the array meant to store the char\* representation of the query parameters is allocated on the heap, but not cleared:

\`\`\`
params = (char \*\*)safe\_emalloc(sizeof(char \*), num\_params, 0);
\`\`\`

If a conversion error happens (for instance, one of the params is an object), \`\_php\_pgsql\_free\_params()\` gets called \*on the whole array\*. Since the array is not initialized, a lingering value from a previous request can get freed, leading in the end to remote code execution.

To patch, use calloc or memset-0 it.

There are other functions where you use basically the same code (if cannot convert to string, then free all params) so it might be worth a look.

Patch: 

\`\`\`
- \_php\_pgsql\_free\_params(params, num\_params);
+ \_php\_pgsql\_free\_params(params, i);
\`\`\`

Best regards,
Charles Fol
ambionics.io


Test script:
---------------
<?php

$strings = \[\];

function uenc($v)
{
    $out = '';
    for($i=0; $i<strlen($v);$i++)
    {
        $out .= '\\u' . '00' . str\_pad(dechex(ord($v\[$i\])), 2, '0', STR\_PAD\_LEFT);
    }
    return '"' . $out . '"';
}

$json = 
    '{"a": 1, "args":\[
        "A","A","A",
        {}
    \]}'
;
$c = pg\_connect('host=172.17.0.3 user=postgres password=password');

$data = json\_decode($json);

$resultXXX = pg\_query\_params($c, 'SELECT \* FROM test WHERE x NOT IN ($1)', $data->args);
// var\_dump(pg\_fetch\_all($resultXXX));

Expected result:
----------------
No crash.

Actual result:
--------------
Crash.

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

\-Status: Open +Status: Verified \-Assigned To: +Assigned To: cmb

 **\[2022-05-17 09:45 UTC\] cmb@php.net**

Thanks for reporting!  I can confirm the issue.  I'll have a
closer look.

 **\[2022-05-17 11:17 UTC\] c dot fol at ambionics dot io**

Cool !

I'm wondering if you also got the previous bug, #81719, related to PDO. I didn't receive a confirmation email.

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

\-Assigned To: cmb +Assigned To: stas

 **\[2022-05-17 11:35 UTC\] cmb@php.net**

Proposed patch:
<https://gist.github.com/cmb69/b2b5ab0cb54a5683fe3aff4c7c09f7c2\>.

While fixing this issue, I noticed that pg\_send\_execute() tries to
convert the $params elements to string, but checks the wrong
variable (\`tmp\` instead of \`tmp\_str\`), what may cause a segfault.
The patch also fixes this.

As to whether this is actually a security issue: any potential
exploit requires the script to pass values which are not coercible
to string to the $params parameter of \`pg\_query\_params()\` or
\`pg\_send\_execute()\`.  That might be regarded as sloppy userland
programming, so I'm not sure if we classify this as security
issue.  On the other hand, the documentation is not explicit about
this conversion to string requirement (although the placeholders
hint at it).

Stas, what do you think?

> I'm wondering if you also got the previous bug, #81719, related
> to PDO.

I'll have a look at that right away.

 **\[2022-05-25 21:36 UTC\] stas@php.net**

\-CVE-ID: needed +CVE-ID: 2022-31625

 **\[2022-06-06 07:13 UTC\] git@php.net**

\-Status: Verified +Status: Closed

CVE-2022-31625: Uninitialized array in pg_query_params() leading to RCE

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability.

CVE-2022-22021

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30158.

CVE-2022-30157

Windows Hyper-V Remote Code Execution Vulnerability.

CVE-2022-30163

Windows Encrypting File System (EFS) Remote Code Execution Vulnerability.

CVE-2022-30145

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153.

CVE-2022-30161

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30139, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149, CVE-2022-30153, CVE-2022-30161.

CVE-2022-30141

Windows Network File System Remote Code Execution Vulnerability.

Tag

#rce