Shulou(Shulou.com)05/31 Report--

How to carry out Weblogic IIOP deserialization vulnerability CVE-2020-2551 vulnerability analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

Preface

On January 15, 2020, Oracle officially released the update announcement CPU (CriticalPatch Update) for key patches of January 2020, in which the vulnerability level of CVE-2020-2551 is high-risk, and the CVVS score is 9.8, which makes it less difficult to exploit. The range of influence is 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0.

Analysis of loopholes

It can be seen from the official announcement of Oracle that the vulnerability lies in the core component of Weblogic and the protocol affected is the IIOP protocol. The vulnerability is still due to a flaw in the implementation of calling the remote object, which causes the serialized object to be arbitrarily constructed without a security check before use, resulting in malicious code execution. Through analysis, the PoC construction of this vulnerability has some similarities with historical vulnerabilities CVE-2017-3241 and CVE-2018-3191, which can also be found when constructing PoC.

A brief understanding of some noun concepts:

IIOP:IIOP is the communication protocol of CORBA. It defines how bits are sent over a connection between the CORBA client and the server.

CORBA: common object request broker (scheduling) Program Architecture (Common Object Request Broker Architecture), abbreviated as CORBA,CORBA, is a standard distributed object architecture developed by the object Management Group (OMG). The interfaces of remote objects are described in the platform Independent Interface definition language (IDL). Implement the mapping from IDL to a specific programming language, binding that language to CORBA/IIOP. The Java Standard Edition CORBA/IIOP implementation is called JavaIDL. Along with the IDL to Java (idlj) compiler, Java IDL can be used to define, implement, and access CORBA objects in the Java programming language.

RMI-IIOP:Java programmers need to choose between distributed programming solution RMI and CORBA/IIOP (Java IDL) when programming. Now, by following some restrictions, you can enable RMI server objects to use the IIOP protocol and communicate with CORBA client objects written in any language. This solution is called RMI-IIOP. RMI-IIOP combines the usability of RMI with the cross-language interoperability of CORBA.

For more specific related concepts and related knowledge of weblogic's IIOP, you can refer to the official documentation, which is not explained too much here.

Through the PoC screenshot of the loophole released on the Internet, we can roughly infer the starting point of the loophole according to the exception thrown. It is not difficult to find that the final outlier is thrown here weblogic.utils.io.ObjectStreamClass.

So if we reverse analyze it step by step according to the outflow diagram and trace which method called it up, we can find the weblogic.corba.utils here. Finally, ValueHandlerImpl calls the readObject method:

Go further and find that the readValue function with the same method calls the above method here:

Continue to trace the analysis, you can find the main function weblogic.iiop. There is a problem with the IIOPInputStream method, which is basically clear at this point:

According to official descriptions, attackers can remotely access a remote interface on a Weblogic Server server through the IIOP protocol, passing in malicious data to gain server privileges and remotely execute arbitrary code without authorization. The default IIOP protocol port for Weblogic is 7001, which is enabled by default. According to the information disclosed by the vulnerability, this vulnerability is JNDI injection. You need to find the factory class in weblogic, encapsulate it and send it. By consulting some official manuals, you can use the weblogic.jndi.WLInitialContextFactory factory method.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.