Shulou(Shulou.com)05/31 Report--

This article shows you how to write the Weblogic deserialization remote code execution vulnerability analysis report, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

I. description of vulnerabilities

On April 17th, the National Information Security vulnerability sharing platform (CNVD) exposed the Weblogic deserialization remote code execution vulnerability (CNVD-C-2019-48814). Due to a flaw in deserialization of input information, an unauthorized attacker can send a specially crafted malicious HTTP request, which can be exploited to gain server privileges and achieve remote code execution. Currently, POC is available in the wild (see Resources link). The official emergency patch (CVE-2019-2725) was released on April 26th, please the affected host to fix the vulnerability in a timely manner.

Affected version

Oracle WebLogic Server 10.*

Oracle WebLogic Server 12.1.3

Impact components:

Bea_wls9_async_response.war

Wsat.war

Second, loophole analysis

According to the vulnerability announcement of the National Information Security vulnerability sharing platform (CNVD), this vulnerability exists in the asynchronous communication service, which can be used to determine whether the insecure component is enabled by the access path / _ async/AsyncResponseService. Classes in the wls9_async_response.war package are affected by this vulnerability due to the use of annotated methods to invoke Weblogic classes that natively handle Web services:

To better understand the cause of the vulnerability, remotely dynamically debug the WebLogic server through IDEA (because you need to follow up the methods in the native class, you need to specify the JDK folder in the WebLogic installation directory in IDEA), and make a breakpoint in the ProcessBuilder class. The key call stack process is as follows:

The call stack is very deep, so let's explain a few key parts. The first is the BaseWSServlet class inherited from HttpServlet, where the service method is mainly used to process the HTTP request and its response. The request packet sent through the HTTP protocol is encapsulated in the instantiated object var1 of the HttpServletRequest class:

Call the run () method of the inner class AuthorizedInvoke defined in BaseWSServlet to complete the permission verification process for the incoming HTTP object:

If the verification is successful, go to the process method of the SoapProcessor class, and obtain the HTTP request type by calling the getMethod () method of the HttpServletRequest class instantiation object var1. If it is the POST method, continue to process the request:

The HTTP request is sent to the handlePost method of the SoapProcessor class:

Private void handlePost (BaseWSServlet var1, HttpServletRequest var2, HttpServletResponse var3) throws IOException {

Assert var1.getPort ()! = null

WsPort var4 = var1.getPort ()

String var5 = var4.getWsdlPort (). GetBinding (). GetBindingType ()

HttpServerTransport var6 = new HttpServerTransport (var2, var3)

WsSkel var7 = (WsSkel) var4.getEndpoint ()

Try {

Connection var8 = ConnectionFactory.instance () .createServerConnection (var6, var5)

Var7.invoke (var8, var4)

} catch (ConnectionException var9) {

This.sendError (var3, var9, "Failed to create connection")

} catch (Throwable var10) {

This.sendError (var3, var10, "Unknown error")

}

}

In order to facilitate the follow-up analysis work, this paper first briefly introduces the content and format of SOAP protocol: SOAP (called simple object access Protocol in Chinese), which is used to exchange structured and solidified information on WEB. It is one of the three elements of Web Service and can be used in combination with many existing Internet protocols and formats. The following figure shows the standard format of SOAP message encapsulation:

The instantiated object var1 of the BaseWSServlet class encapsulates SOAP messages based on the HTTP protocol:

Call the getPort () method defined in the var1 object to parse the root element Envelope in the SOAP message (you can define the XML document as a SOAP message) to get the port information of the called service:

Obtain the current SOAP protocol specification version information through the getWsdlPort (). GetBinding (). GetBindingType () method of the var4 object:

The var2 object of HttpServletRequest class and the object var3 of HttpServletResponse class are passed into the constructor of HttpServerTransport class to initialize the instance object var6 to handle the subsequent HTTP request and response.

Continue to call the getEndpoint () method in the var4 object to complete the Envelope parsing of the root element in the SOAP message and read the xmlns:soap namespace associated with it, and then complete the parsing of the SOAP Header element and the Body element, respectively:

Follow up the invoke () method defined in the WsSkel class, where the instantiation process of the ServerDispatcher class is completed, the setWsPort () method is called to specify the service request address, and the debugger is entered to view the property value of the WsPort object var2. It is found that the underlying layer relies on the HashMap data structure to save the Address and URI of the request service, where the http://:7001/_async/AsyncResponseService service is currently requested:

Looking at the value of the var5 property of the ServerDispatcher object in the debugger, it is found that the onAsyncDelivery method name is assigned in the methodName property, and the method defined in the above service will be called when the dispatch () method is called:

The handleRequest () method in the WorkAreaServerHandler class is used to process the access request, get the incoming MessageContext through the WlMessageContext object var2, call the getHeaders () method of the var2 object to get the Header element of the incoming SOAP message, and finally pass the element to the WorkAreaHeader object var4. You can clearly see the assignment of the element content in the debugger:

Create a new WorkContextMapInterceptor object var5, read the output stream of the var4 object byte array converted by the WorkContextXmlInputAdapter adapter constructor in its receiveRequest () method, and pass the above Content field to the readUTF () method of the WorkContextXmlInputAdapter class after being processed by the internal getMap ()-> receiveRequest ()-> readEntry () method:

In the readUTF () method, the readObject () method of the private member variable xmlDecoder of the WorkContextXmlInputAdapter class is called to read the byte array. After a series of parser parse () methods are chained by the internal SAXParser class, the XML document element parsing process is completed in the endElement () method defined by the com.sun.beans.ObjectHandler class, and the valid class name oracle.toplink.internal.sessions.UnitOfWorkChangeSet is obtained:

After the Security mechanism completes the permission verification of the class name, the Java reflection mechanism is used to instantiate the above class through the newInstance () method defined by the metaclass:

Similarly, the Constructor class in the reflection package calls the constructor method to pass in the byte array to assign the initial value to the above instance object:

After the initialization process of the UnitOfWorkChangeSet object is completed, the ByteArrayInputStream object is used to receive the byte array passed in by the constructor, then the ByteArrayInputStream object byteIn is converted into the ObjectInputStream object objectIn, and the readObject () method of the objectIn object is called directly. Since the default SDK in the WebLogic installation package is version 1.6, in the JDK version

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.