Nutz Framework NutzBoot Unauthenticated Java Deserialization Vulnerability Leading to Remote Code Execution

A vulnerability exists in NutzBoot versions up to 2.6.0-SNAPSHOT within the LiteRPC module. The issue arises in the HttpServletRpcEndpoint class, specifically in the getInputStream function. This vulnerability allows for arbitrary deserialization of data controlled by an attacker. The exploitation can be performed remotely and does not require authentication.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where NutzBoot is running.

Reproduction

To reproduce this vulnerability, first retrieve the list of registered RPC methods from the Loach service. This can be done by sending a request to the '/loach/v1/list' endpoint. Once valid RPC method signatures are obtained, generate a malicious Java serialization payload using a tool like 'ysoserial', targeting a gadget chain that leads to code execution. Finally, send the payload to the '/literpc/endpoint' with the appropriate headers to trigger the deserialization and execute the payload on the server.

Remediation

It is recommended to disable or remove the JDK serializer and use a safer format for LiteRPC HTTP transport. If Java serialization must be used, enforce strict filtering of deserialized objects. Additionally, authentication should be required for accessing the vulnerable endpoint, and the Loach service-list APIs should be protected or limited.