Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out CVE-2018-2894 vulnerability analysis, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

First, the background of loopholes

CNCERT found a remote upload vulnerability in Oracle's JavaEE-based middleware WebLogic product, and then Oracle officially released a key patch update CPU (Critical Patch Update), which fixes CVE-2018-2894, a high-risk vulnerability that can cause remote file uploads: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html.

2. Summary of vulnerabilities who should read this Oracle WebLogic Server developers and users the impact of vulnerabilities on the unauthorized pages of the WebLogic management end exist arbitrary upload getshell vulnerabilities, which can directly obtain permissions. A hazard score of 9.8 is recommended to upgrade to the latest official version. Affected software Oracle WebLogic Server, version 10.3.6.0meme 12.1.3.0meme 12.2.1.2cre 12.2.1.3 CVE identifier CVE-2018-2894 III, build environment

The Weblogic version within the scope of the installation vulnerability: 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3.

Start the server and access http://localhost:7001/ws_utc/config.do

Modify the current working directory Work Home Dir to: C:\ Oracle\ Middleware\ Oracle_Home\ user_projects\ domains\ base_domain\ servers\ AdminServer\ tmp\ _ WL_internal\ com.oracle.webservices.wls.ws-testclient-app-wls_12.1.3\ cmprq0\ war

After selecting the security options button in the left menu bar, click add Keystore Settings.

After entering the Keystore name, select the File upload button to add any file. The name can be replaced by a space.

The upload path can be obtained by grabbing the package: http://localhost:7001/ws_utc/resources/setting/keystore?timestamp=1535682238190, and the uploaded path is in the format of timestamp _ file name. Here, I rename the file name and modify the upload directory.

Grab the return package and check the real directory to find that the file has been uploaded successfully.

Test the uploaded file jfolder.jsp.

IV. Trigger conditions

1. You need to know the web directory where the application is deployed.

2. Ws_utc/config.do does not need authentication in development mode, but needs certification in production mode. For details, please see Oracle ®Fusion Middleware Administering Web Services

V. loophole analysis

Analyze the change directory function and find that the function does not have any restrictions.

Get the path to be written to from getKeyStorePath ().

The selected uploaded file is uploaded to the storePath directory with the file naming condition of fileNamePrefix + "_" + attachName. The file name is concatenated with the value of the parameter timestamp carried on the URL address in the POST request plus the file name with an underscore. At the same time, no filtering and checking are found.

VI. Suggestions for restoration

1. Access after setting login authorization for Config.do and begin.do pages

Defense products such as 2.IPS can add corresponding features.

3. Upgrade to the latest official version.

The above content is how to analyze CVE-2018-2894 vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.