WVP Pro Redis Template GenericFastJsonRedisSerializer Deserialization Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in WVP Pro versions through 2.7.4. The issue arises from the use of 'GenericFastJsonRedisSerializer' in the application's Redis template configuration, which enables unsafe deserialization by allowing arbitrary class instantiation based on the '@type' field in JSON data. This vulnerability can be exploited by writing malicious JSON to Redis, triggering automatic deserialization that executes arbitrary code via known FastJSON gadget chains. The vulnerability affects all services that read from Redis, leading to complete server compromise without requiring authentication.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is running, with the executed code running under the application's privileges. This could lead to a complete takeover of the application server, installation of backdoors for persistent access, and disruption of video surveillance services by manipulating camera configurations or injecting fake video streams.

Reproduction

To reproduce this vulnerability, first identify an API endpoint that accepts JSON and stores it in Redis. Once the endpoint is found, prepare a malicious payload that includes a '@type' annotation pointing to a class that can be exploited, such as 'com.sun.rowset.JdbcRowSetImpl'. After the payload is crafted, send it to the Redis database using the identified API endpoint or directly through Redis CLI. Once the payload is stored, trigger the vulnerability by accessing a service that reads from the affected Redis key, which will automatically deserialize the payload and execute the embedded code.

Remediation

Replace 'GenericFastJsonRedisSerializer' with 'Jackson2JsonRedisSerializer' in the Redis template configuration. This change prevents the AutoType feature from being enabled, eliminating the risk of unsafe deserialization. After updating the serializer, test all Redis read and write operations to ensure they function correctly with the new configuration.