Changmingxie TCC-Transaction Fastjson AutoType Deserialization Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability has been identified in Changmingxie TCC-Transaction versions through 2.1.0. The issue arises from stored deserialization in Redis, where transaction data is serialized using Fastjson with AutoType enabled. An attacker able to write to Redis can inject a crafted JSON payload that triggers arbitrary class instantiation during deserialization, exploiting the Fastjson AutoType REST API.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where the application is running.

Reproduction

The vulnerability can be reproduced by writing a crafted JSON payload into Redis that includes an attacker-controlled @type field. This payload can be sent via the application's REST API or directly to Redis, depending on the application's configuration. Once the payload is stored in Redis, the application will read it during the transaction recovery process, deserializing the JSON with Fastjson's AutoType feature enabled. This deserialization process will then execute the injected payload, leading to remote code execution.

Remediation

To address this vulnerability, users should disable AutoType support in Fastjson by setting the global parser configuration to false and enabling safe mode. Additionally, explicit type mapping should be used instead of AutoType. For Redis, it is recommended to require authentication for connections and to restrict access to application servers.