Oinone Pamirs Fastjson Deserialization Vulnerability Leading to Remote Code Execution

A deserialization vulnerability allowing remote code execution has been identified in Oinone Pamirs versions through 7.2.0. The issue arises in the 'appConfigQuery' interface, which is accessible without authentication. The vulnerability is triggered when the 'JsonUtils.parseMap' function processes a JSON string containing malicious instructions. This manipulation exploits a configuration flaw that disables Fastjson's security features, allowing attackers to execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the server, potentially allowing an attacker to take over the entire server.

Reproduction

To reproduce this vulnerability, send a GraphQL request to the 'appConfigQuery' interface with a 'queryData' parameter that includes a crafted JSON string. This string should be formatted to exploit the deserialization process by including a class type reference that, when processed, triggers the execution of remote code.

Remediation

Remove the 'setAutoTypeSupport(true)' configuration from 'PamirsParserConfig.java' to restore Fastjson's default security settings. If polymorphic deserialization is necessary, restrict allowed classes to safe internal package names. Additionally, upgrade Fastjson to version 2.x or 1.2.83+ and use its 'SafeMode' feature.