Yonyou NC BaseApp Deserialization of Untrusted Data Scanner

Yonyou UFIDA NC is a comprehensive enterprise-level management software platform developed by Yonyou. It is widely used by large and medium-sized enterprises to integrate IT solution modeling, development, inheritance, operation, and management. Known for its robust functionalities, Yonyou UFIDA NC supports C/S architecture and utilizes Java programming language. The software allows users to deploy and manage business processes effectively, with interfaces designed for streamlined client-server communication through protocols like HTTP. Enterprises rely on its modules to oversee a range of business operations including financial management, HR, and supply chain activities.

The 'Deserialization of Untrusted Data' vulnerability is a critical security issue that occurs when untrusted data is used to instantiate object streams without validation. This vulnerability allows attackers to manipulate serialized data to inject malicious payloads into the application. Exploitation of such vulnerabilities can enable unauthorized file uploads or command executions on the server. It poses a significant risk as it can be used to perform arbitrary code execution, potentially leading to data breaches or full system compromise. Ensuring proper validation and secure coding practices can mitigate risks of exploitation.

This vulnerability takes advantage of insufficient type restrictions during the file upload process in Yonyou UFIDA NC. Attackers can exploit this by sending specially crafted data packets to the application where deserialization of untrusted data occurs, with potential endpoints such as 'UploadServlet'. The vulnerable parameters possibly reside in the file handling processes where this unchecked deserialization leverage endpoint access to inject malicious executables. Successful attacks allow attackers to upload and execute arbitrary files, resulting in system compromise and unauthorized command execution.

Exploitation of this vulnerability can have severe consequences, including unauthorized access to sensitive data and critical application functions. Attackers may achieve remote command execution, leading to potential data loss, corruption, and interruption of services. The compromise can further enable infiltration into other connected systems, spreading across networks and potentially causing extensive financial and reputational damage to affected enterprises. It often necessitates comprehensive security audits and incident response measures to contain and remediate.

REFERENCES

• https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Yonyou-NC-BaseApp-UploadServlet-Deserialization-RCE.json