Yunanbao Cloud Box Remote Code Execution Scanner

The Yunanbao Cloud Box is a cloud-based service mostly used by enterprises and developers to manage cloud resources efficiently. It provides an interface for users to deploy, monitor, and maintain various applications in the cloud ecosystem. The Yunanbao Cloud Box is integrated with multiple cloud services, allowing seamless deployment and scaling of applications. It is commonly accessed through the web, making it convenient for remote management. Developers often rely on it for its fast JSON processing and real-time data serialization capabilities. The platform's architecture supports extensive customization, making it adaptable to various operational needs.

Remote Code Execution (RCE) is a critical vulnerability that allows attackers to execute arbitrary code on a server. This vulnerability can occur if untrusted data is deserialized improperly, such as in the use of vulnerable libraries like fastjson. An attacker can exploit RCE to gain control over the server and execute malicious commands. This particular vulnerability affects the authService interface in Yunanbao Cloud Box, where fastjson is used improperly. When fastjson processes user input without adequate checks, it introduces the potential for unsanctioned access to system components. RCE vulnerabilities are severe as they can lead to full system compromise.

The vulnerability originates from the authService interface within the Cloud Box, where the fastjson component is used. An exploitable endpoint is present in the POST request to `/3.0/authService/config`, which does not sanitize inputs properly. The parameter `Cmd` is particularly vulnerable to injection, wherein malicious serialized payloads can be sent to execute arbitrary commands. Fastjson is employed to deserialize input data, but due to missing secure deserialization practices, the system becomes open to attacks. The `Content-Type` of `application/json` is a facilitating factor for payload delivery. Attackers capitalize on this flaw to gain unauthorized execution rights on the server.

If this vulnerability is exploited, attackers can potentially take over the affected server, implementing unauthorized changes to data or configurations. It may lead to unauthorized access to sensitive information and a subsequent data breach. System integrity might be jeopardized, allowing malware installation or creating persistent access points for future attacks. The operations conducted through the Cloud Box can be sabotaged, causing business disruptions. Additionally, such a vulnerability can degrade user trust and pose compliance issues due to unauthorized data manipulation capabilities.

REFERENCES

• https://github.com/wy876/POC/blob/main/%E4%BA%91%E5%8C%A3%E5%AD%90%E5%A0%A1%E5%9E%92%E6%9C%BAfastjson%E6%BC%8F%E6%B4%9E.md