Shulou(Shulou.com)05/31 Report--

WebSphere remote code execution vulnerability CVE-2020-4450 example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

1. Vulnerability Analysis 1.1 introduction of WebSphere components

WebSphere is the software platform of IBM. It includes writing, running, and monitoring round-the-clock industrial strength on demand Web applications and the entire middleware infrastructure, such as servers, services, and tools, required for cross-platform, cross-product solutions. WebSphere Application Server is the foundation of the facility, and all other products run on it. Based on WebSphere Application Server and WebSphere Enterprise Service Bus, WebSphere Process Server provides the foundation for service-oriented architecture (SOA) modular applications and supports the application of business rules to drive applications that support business processes.

1.2 vulnerability description

On June 15, 2020, IBM officially released a defense patch against the CVE-2020-4450 vulnerability. The vulnerability occurs because IBM WebSphere Application Server can allow remote attackers to transmit specially crafted serialized data over the iiop protocol and execute arbitrary code on the system.

1.3 detailed analysis

First of all, sort out the exploit process, and the vulnerability trigger entry is located in the com.ibm.ws.Transaction.JTS.TxServerInterceptor#receive_request method.

Control that the parameter values of serviceContext and serviceContext.context_data are not null to ensure

Boolean validOtsContext = serviceContext! = null & & serviceContext.context_data! = null

The validOtsContext in is true, thus entering the if code block shown in the following figure

In the code block, execute the TxInterceptorHelper.demarshalContext (serviceContext.context_data, (ORB) ((LocalObject) sri). _ orb () method.

First call createCDRInputStream to create EncoderInputStream (a subclass of CDRInputStream). Create a PropagationContext object to read the properties in the data stream into the context. Here we focus on

PropContext.implementation_specific_data = inputStream.read_any ()

This code calls the EncoderInputStream#read_any method, which in turn calls the CDRReader#read_any method for deserialization.

Referring to the Zero Day Initiative and iswin articles, the CVE-2020-4450 vulnerability uses the WSIFPort_EJB class for gadget construction, while obtaining the com.ibm.rmi.iiop.Connection#setConnectionContexts method through reflection, adding the constructed ServiceContext, meeting the prerequisites of the above process, and assigning values to serviceContext and serviceContext.context_data.

By constructing context_data data, malicious data in the construction is triggered when the demarshalContext method is parsed. The construction method refers to the marshalContext method.

Simulates the serialization process, passing the constructed malicious data into the result.

To enter the WSIFPort_EJB class used by gadget, first follow up the readObject method

The readObject method is called during WSIFPort_EJB deserialization, which executes the

This.fieldEjbObject = handle.getEJBObject ()

Here you can construct a malicious fieldEjbObject object in preparation for subsequent jndi injection.

Continue to follow the code and implement the getEJBObject () method in the Handler interface in the com.ibm.ejs.container.EntityHandle class. Follow up on com.ibm.ejs.container.EntityHandle#getEJBObject () and discover the lookup () jndi addressing method.

The following is the flow of the Jndi lookup method call

Com.sun.jndi.rmi.registry.RegistryContext#lookupcom.sun.jndi.rmi.registry.RegistryContext#decodeObjectjavax.naming.spi.NamingManager#getObjectInstanceorg.apache.aries.jndi.OSGiObjectFactoryBuilder#getObjectInstanceorg.apache.aries.jndi.ObjectFactoryHelper#getObjectInstanceorg.apache.aries.jndi.ObjectFactoryHelper#getObjectInstanceViaContextDotObjectFactories

The main follow-up is the getObjectInstanceViaContextDotObjectFactories method, in which you can call the getObjectInstance of any ObjectFactory class, which is analyzed according to the WSIFServiceObjectFactory given by Zero Day Initiative.

Read the field data in the xml file constructed in the remote malicious rmi service and parse it, and assign values to the attributes in the above figure.

After getting the homeClass, call the findFindByPrimaryKey () method

From this method, you can find the constraints of the incoming homeclass. You first need to implement the findFindByPrimaryKey method. When calling the lookup method, restricting the homeclass class requires inheriting the EJBHome interface.

The com.ibm.ws.batch.CounterHome interface mentioned by iswin is found here.

When executing this.object = (EJBObject) fbpk.invoke (home, this.key); call the WSIFClientProxy#invoke method to make a remote method call. To achieve vulnerability exploitation.

1.4 recurrence of vulnerabilities

Build a WebSphere Application Server 9.0.0.2 environment to construct malicious deserialization data and send it to the target server through iiop. When the target server parses the deserialization data, malicious code execution will be triggered. The effect is as shown below:

2. Scope of influence: the version of WebSphere currently affected:

WebSphere Application Server 9.0.0.0-9.0.5.4

WebSphere Application Server 8.5.0.0-8.5.5.17

III. Suggestions for restoration

Official patches have been released for this vulnerability. Affected users are requested to fix it in the following ways:

WebSphere Application Server 9.0: update the security patch PH25074, or upgrade to version 9.0.5.5 and later.

WebSphere Application Server 8.5: update the security patch PH25074, or upgrade to 8.5.5.18 and later.

IV. Timeline

2020/6/15:IBM officially assigned vulnerability number CVE-2020-4450 to release patch PH25074

2020/7/21:Zero Day Initiative releases details of vulnerabilities

In 2020-8-17, we were convinced that the Qianlimu security laboratory analyzed and reappeared the loopholes and released the product solution.

5. Reference links

Https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf

Https://www.thezdi.com/blog/2020/7/20/abusing-java-remote-protocols-in-ibm-websphere

Https://www.iswin.org/2020/08/04/WebSphere-CVE-2020-4450-Vul-Analysis/

After reading the above, have you mastered the method of example analysis of WebSphere remote code execution vulnerability CVE-2020-4450? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.