SMSGate SMS Core Insecure Deserialization Vulnerability in CMPP 7F Protocol Allowing Remote Code Execution

A remote code execution vulnerability exists in SMSGate sms-core versions through 2.1.13.6, specifically within the CMPP 7F protocol. The issue arises in the 'Cmpp7FDeliverRequestMessageCodec.java' component, where the 'attachment' field is deserialized without proper validation. This flaw enables attackers to craft malicious serialized data that, when processed by the server, executes arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where SMSGate is running.

Reproduction

To reproduce this vulnerability, first, upload the crafted 'CalcPayload' class, which is designed to exploit the deserialization flaw by executing a command after being deserialized. Once the payload is prepared, connect to the server's SMSGate CMPP 7F endpoint on port 7890. After establishing a connection and authenticating with a valid SP account, send a CMPP Deliver Request message that includes the malicious payload in the attachment field. The server will deserialize the payload, triggering the execution of the specified command, such as opening the calculator application on Windows.

Remediation

Users can address this vulnerability by updating to a version of SMSGate that is not affected, or by implementing one of the recommended solutions, such as whitelisting allowed classes in the FST serialization configuration, replacing FST serialization with JSON serialization using a library like Jackson, removing the attachment functionality from the CMPP 7F message codec, or upgrading to a safer CMPP protocol version.