WukongCRM Fastjson Deserialization Vulnerability Allowing Remote Code Execution
Vulnerability
A fastjson deserialization vulnerability has been identified in WukongCRM version 9.0-JAVA, specifically in the OaExamineController class at the /OaExamine/setOaExamine interface. The vulnerability arises from the use of an unsafe version of fastjson, which directly deserializes the request body. This flaw can lead to a denial-of-service attack by default, and with certain dependencies and autoTypeSupport enabled, it can be exploited for remote code execution.
Impact
Exploitation of this vulnerability can lead to remote code execution on the server where WukongCRM is running.
Reproduction
To reproduce this vulnerability, send a request to the /OaExamine/setOaExamine endpoint with a payload that includes a serialized object. The default behavior of the application will allow this payload to be deserialized by fastjson, creating a denial-of-service condition. To achieve remote code execution, the payload must be crafted to exploit the deserialization process, targeting specific classes and using a JNDI lookup to execute arbitrary code.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.