Vulnerability Details - Potential Command Execution via Deserialization Exploit Chain in Specific Component Combinations
A critical vulnerability has been identified in ZAPROXY version 2.14.0 stemming from its dependency components(i.e. net.sf.json and org.apache.commons.beanutils)' interaction with spring-aop, resulting in a novel deserialization gadget chain. This gadget chain potentially enables remote attackers to execute arbitrary commands on the affected system.
The vulnerability arises due to a new deserialization gadget chain involving the JdkDynamicAopProxy class from the spring-aop library. This chain leverages the JdkDynamicAopProxy class to proxy instances of TemplatesImpl, leading to a scenario where the getOutputProperties method of TemplatesImpl can be invoked in a controlled manner when WrapDynaBean.get()
method is triggered. This controlled invocation facilitates the execution of malicious code through the deserialization process.
A crucial element of this exploit chain is the reliance on the serialization capabilities of components from the Apache Commons Collections library. Specifically, the vulnerability manipulates the factory.create() process within LazyList instances to execute the gadget chain successfully. The exploitation of this vulnerability requires the environment to permit the serialization of Apache Commons Collections components, underscoring the complexity and specificity of the attack vector.
It is highly recommended to review and update the dependency components of ZAPROXY to versions that do not support the described deserialization gadget chain. Additionally, limiting or disabling the serialization capabilities of the Apache Commons Collections library within the application's environment can mitigate the risk associated with this vulnerability. Organizations are advised to follow secure coding practices and implement robust deserialization filters to protect against similar deserialization vulnerabilities.
ZAPROXY 2.14.0
The POC is following:
pom.xml