Shulou(Shulou.com)05/31 Report--

This article is about how to pick up the missing weblogic and give feedback to the weblogic patch. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Let's share with you how to pick up weblogic and how to give feedback to weblogic patches.

Now that we're talking about digging weblogic. The weblogic frame is so large that a brother who comes into contact with him for the first time may not know where to start digging. We can analyze historical loopholes from patches. There are still many types of vulnerabilities that have not been covered. No offense for this situation, this is only a basic explanation.

1. Weblogic Patch Analysis Guide 1.1 Opatch

After you have dug a loophole, it is best to install the latest patch of weblogic to verify that your exp works under the latest patch. Weblogic uses Opatch to manage patches. In some patches, the patch pack requires a minimum version of Opatch, so we need to upgrade the Opatch patch number [28186730: OPATCH 13.9.4.2.4 FOR FMW/WLS 12.2.1.3.0, 12.2.1.4.0 AND 14.1.1.0.0] to solve this problem.

Https://support.oracle.com/epmos/faces/PatchHome?_adf.ctrl-state=1cdjuh74ay_4&_afrLoop=92240149765348#

After downloading, extract to any folder Windows and execute the following command java-jar opatch_generic.jar-J-Doracle.installer.oh_admin_acl=true-silent oracle_home=

Other systems execute the following command java-jar / 6880880/opatch_generic.jar-silent oracle_home=

If you don't understand, look at the Readme in the compressed package.

1.2 Opatch patches

After downloading the patch, unzip it to any folder to find the Opatch folder in the Oracle_home installation directory, and perform the upgrade operation to extract the Opatch apply patch folder (note that it is the innermost folder

1.3 download the patch

All we care about is the security patch. Here's how to download the patch and log on to the Oracle support website. Find the Patchs&Updates section and click on it.

For the query conditions, you can construct the REC patch according to your needs, and it is marked as security, and the Generic Platform platform is the patch.

Note that oracle releases security patches four times a year, and security patches can be made across versions, that is, old patches are also integrated into new patches.

1.4 weblogic patch analysis method

The patches in weblogic are actually compiled class files. If we directly use idea to open the patch folder, we can analyze the patches using idea's decompilation function.

In the patch, each class file corresponds to a class file in the actual directory of weblogic. With a patch, you can think of forcibly replacing the class file in the relevant jar package in weblogic.

Let's talk about the main points of the analysis. For this kind of security patch, only the security issues about weblogic itself will be reflected here, and the security vulnerabilities of general third-party packages will not be included in this patch.

1.4.1 weblogic blacklist

Look directly at the WeblogicFilterConfig.class file under the folder files\ oracle.wls.jrf.tenancy.common.sharedlib\ 12.2.1.4.0\ wls.common.symbol\ modules\ com.bea.core.utils.jar\ weblogic\ utils\ io

Because of the vulnerabilities of weblogic, most of them are java deserialization vulnerabilities of T3 protocol and IIOP protocol. The easiest way for weblogic to fix this vulnerability is to set up a deserialization blacklist and add a blacklist. If the class encountered during deserialization exists in the blacklist, the deserialization process is aborted.

All we need is a list of diff blacklists and we can study and construct poc ourselves. Sometimes it's not necessarily rce, it could be something else.

1.4.2 other deserialization classes

If the class that triggers deserialization may be needed in normal business, or cannot be shielded for other reasons, the fix for weblogic is to modify the relevant class directly.

If a class privately calls ObjectInputStream in the readObject method to perform the deserialization operation instead of using the FilterInputStream provided by weblogic to perform the deserialization operation, this will invalidate the blacklist of weblogic. This is the deserialization vulnerability in deserialization, which is quite common in weblogic. (not limited to T3 protocol

For example, SOAPInvokeStat

In our diff, we can clearly see that the patch for weblogic changes ObjectInputStream to FilterInputStream. In weblogic, only FilterInputStream checks for blacklisted classes in the deserialization process.

Then, we can construct a class based on the parameters in this class.

In idea, the easiest way to overwrite a class is to create a class in your project that has the same class name as the overwritten class package, and then modify the code you want to modify. For example, in this deserialization, I want to modify the writeExternal method. Directly and forcibly replaced with the gadget of cve-2020-2555.

1.4.3 T3 deserialization XXE

In general, this kind of vulnerability is in the class inherited from Exterinalizable, when customizing the sequence process, some fields of the class are stored as XML in the deserialized information. When deserialization, the relevant string in the serialization information is read and parsed as XML. XXE attacks are not taken into account in the parsing process. The cve I missed this time is this type of loophole.

In the weblogic.wsee.security.wssc.sct.SCCredential#readExternal method

This.appliesTo is a deserialized string, and if it begins, DOMUtils.toXMLNode is called to parse. In fact, it is parsed as xml, and there is no filtering.

Poc is as follows

two。 Submit vulnerabilities to oracle

I looked it up online and didn't seem to have much explanation. I happen to be here to share my submission process.

This xxe cve-2020-2211 loophole is a hole I dug one night last December due to insomnia. Don't make a fuss, it's just a simple xxe. Then write an email to oracle. The mailbox for the oracle submission vulnerability is secalert_us@oracle.com.

In the subject of your email, indicate the type of hole you dug this time. The e-mail should be written in English, anyway, don't say anything polite, and foreigners can't understand it. Come straight to the point and analyze the loophole directly, throw him a poc, and take a few pictures.

! [] (https://potatso-1253210846.cos.ap-beijing.myqcloud.com/20210421131555.png

Usually wait two or three days or so, oracle will reply to your email, confirming the vulnerability and assigning an internal number. Then reply to your email telling you not to reveal this loophole to anyone.

Then just wait for the cve number. I waited for this loophole for nearly half a year before sending the cve number. Usually send an email two or three days before the oracle patch to tell you your cve number, impact and other information.

At this point, you get a cve number.

The above is how to pick up the weblogic and feed back to the weblogic patch. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.