coherence.jar中的漏洞利用链及后续绕过。coherence.jar中的漏洞利用链及后续绕过。因为10.3.6默认没有启用coherence,我们用12.2.1.3作为调试环境。CVE-2020-2555
InvokerTransformer#transform方法对Method.invoke的调用,Weblogic几百个lib中有没有类CC链呢?-
1. 查找调用了 Method.invoke的方法 -
2. 筛出可被序列化的方法所在类 -
3. 剔除参数不可控的结果
com.tangosol.util.extractor.ReflectionExtractor#extract,与transform不说丝毫不差至少也是大同小异。
ChainedTransformer作用一致的ChainedExtractor,ReflectionExtractor实现了ValueExtractor接口满足类型要求:
com.tangosol.util.filter.LimitFilter#toString,这样就能链上CC5开头用的BadAttributeValueExpException实现完整利用链。
com.tangosol.coherence.rest.util.extractor.MvelExtractor#extract作为sink执行MVEL表达式。
extract:95, MvelExtractor (com.tangosol.coherence.rest.util.extractor)
extract:112, ReflectionExtractor (com.tangosol.util.extractor)
extract:83, ChainedExtractor (com.tangosol.util.extractor)
// extract:96, MultiExtractor (com.tangosol.util.extractor)
toString:581, LimitFilter (com.tangosol.util.filter)
readObject:86, BadAttributeValueExpException (javax.management)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1170, ObjectStreamClass (java.io)
readSerialData:2178, ObjectInputStream (java.io)
readOrdinaryObject:2069, ObjectInputStream (java.io)
readObject0:1573, ObjectInputStream (java.io)CVE-2020-2883
[ALIAS]关系的抽象基类com.tangosol.util.extractor.AbstractExtractor在compare中调用了extract:
PriorityQueue实现完整利用链。
extract:95, MvelExtractor (com.tangosol.coherence.rest.util.extractor)
extract:112, ReflectionExtractor (com.tangosol.util.extractor)
extract:83, ChainedExtractor (com.tangosol.util.extractor)
// extract:96, MultiExtractor (com.tangosol.util.extractor)
compare:79, AbstractExtractor (com.tangosol.util.extractor)
siftDownUsingComparator:722, PriorityQueue (java.util)
siftDown:688, PriorityQueue (java.util)
heapify:737, PriorityQueue (java.util)
readObject:797, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1170, ObjectStreamClass (java.io)
readSerialData:2178, ObjectInputStream (java.io)
readOrdinaryObject:2069, ObjectInputStream (java.io)
readObject0:1573, ObjectInputStream (java.io)
CVE-2020-14645
UniversalExtractor看似能调用任意类方法,实际受内部逻辑限制(尤其是CanonicalNames#computeValueExtractorCanonicalName)只能调到任意类的无参get/is方法,可以通过一些getter链触发JNDI完成利用。extractComplex:432, UniversalExtractor (com.tangosol.util.extractor)
extract:175, UniversalExtractor (com.tangosol.util.extractor)
// extract:105, ChainedExtractor (com.tangosol.util.extractor)
// extract:96, MultiExtractor (com.tangosol.util.extractor)
compare:143, AbstractExtractor (com.tangosol.util.extractor)
siftDownUsingComparator:722, PriorityQueue (java.util)
siftDown:688, PriorityQueue (java.util)
heapify:737, PriorityQueue (java.util)
readObject:797, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1170, ObjectStreamClass (java.io)
readSerialData:2178, ObjectInputStream (java.io)
readOrdinaryObject:2069, ObjectInputStream (java.io)
readObject0:1573, ObjectInputStream (java.io)参考链接
-
1.https://medium.com/nightst0rm/t%C3%B4i-%C4%91%C3%A3-chi%E1%BA%BFm-quy%E1%BB%81n-%C4%91i%E1%BB%81u-khi%E1%BB%83n-c%E1%BB%A7a-r%E1%BA%A5t-nhi%E1%BB%81u-trang-web-nh%C6%B0-th%E1%BA%BF-n%C3%A0o-61efdf4a03f5
-
2.https://testbnull.medium.com/the-art-of-deserialization-gadget-hunting-part-3-how-i-found-cve-2020-2555-by-known-tools-67819b29cb63
-
3.https://www.yaowendao.com/2020/09/06/%E4%BB%8EWebLogic%E4%B8%80%E8%84%89%E7%9B%B8%E6%89%BF%E7%9A%84%E4%B8%89%E4%B8%AA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96CVE%E8%AF%B4%E8%B5%B7
原文始发于微信公众号(默安逐日实验室):Weblogic安全漫谈(三)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论