Shulou(Shulou.com)05/31 Report--

What this article shares with you is how the analysis of WebLogic remote code execution vulnerability CVE-2020-14644 is carried out. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Without saying much, follow the editor to have a look.

1. Vulnerability Analysis 1.1 introduction of WebLogic components

WebLogic is an application server produced by American Oracle Company. Specifically, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying and managing large-scale distributed Web applications, network applications and database applications.

1.2 vulnerability description

Oracle officials disclosed this vulnerability in the latest security patch released in July 2020. This vulnerability allows unauthenticated attackers to access the network through IIOP,T3, which could be successfully exploited by unauthenticated attackers to take over Oracle WebLogic Server. The CVSS score was 9.8.

1.3 vulnerability analysis

Taking WebLogic12.1.4.0 as the vulnerability environment for analysis, first of all, poc calls the ClassIdentity construction method to store the constructed malicious class information in the three attributes of mcollecsPackageReciproceMBaseNamereMainsVersion.

Use the Javassist class library to get the byte stream of the constructed malicious class. And call the ClassDefinition constructor to store the acquired malicious byte stream in the m_abClass property.

Call the RemoteConstructor constructor to pass the obtained attribute above into the m_definition attribute.

During deserialization, the serialized data goes into the readResolve () method in the RemoteConstructor class and calls the newInstance () method. And enter the realize method.

In this method, because the m_clz property in the called getRemotableClass () method uses the transient keyword, the value of this property is null during deserialization. After two if judgment conditions, execute

Definition.setRemotableClass (this.defineClass (definition))

Code statement.

Get the malicious class and its malicious byte stream data in the defineClass method, and call the defineClass method of the parent class ClassLoader to create a custom ClassLoader. Malicious code is executed during the loading process to implement the attack.

1.4 recurrence of vulnerabilities

Build a WebLogic12.1.4.0 vulnerability environment, construct malicious deserialization data, and send it to the target server through T3. When the target server parses the deserialization data, malicious code execution will be triggered. The effect is as shown below:

II. Scope of influence

Currently affected WebLogic versions:

WebLogic Server 12.1.3.0.0

WebLogic Server 12.2.1.3.0

WebLogic Server 14.1.1.0.0

Solution 3.1 repair proposal

1. A patch has been officially released for this vulnerability. Please refer to the following link to install the patch update: https://www.oracle.com/security-alerts/cpujul2020.html

3.2 recommendations for temporary repair

1. This vulnerability can be temporarily defended by shutting down the IIOP protocol. Do the following:

In the WebLogic console, select Service-> AdminServer-> Protocol, and uncheck enable IIOP. And restart the WebLogic project for the configuration to take effect.

two。 Control of T3 services

Ways to control T3 services:

Select Security-filter in the WebLogic interface above, find connection filter in the interface that appears below, and enter

Security.net.ConnectionFilterImpl

Then enter in the connection filter rule

127.0.0.1 * * allow t3 T3s 0.0.0.0 Lexus 0 * * deny T3 T3s

Finally, save and restart the server to take effect.

This is how the analysis of WebLogic remote code execution vulnerability CVE-2020-14644 is carried out. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.