Shulou(Shulou.com)05/31 Report--

How to analyze the principle of CVE-2017-10271 vulnerability, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

1 background of loophole

Weblogic is an application server launched by oracle. Because it supports EJB, JSP, JMS, XML and other languages, scalability, rapid development and other features, it is favored by the majority of system administrators. According to incomplete statistics, weblogic accounts for about 1x3 of the global market share. It is precisely because of such a high share that every time there are new loopholes in weblogic, it will cause an uproar in the industry. Towards the end of 2017, weblogic once again brought a great surprise to everyone, and the CVE-2017-10271 loophole once again swept through the government, banking and other major industries.

In fact, a long time ago, oracle officially released a patch on CVE-2017-3506. Due to the blacklist fix, the vulnerability was not completely fixed. The specific fix code is as follows:

Since there was no massive use of exp at that time, this vulnerability was not exploited on a large scale. Early patches were not completely fixed, and remote commands can still be executed by constructing relevant http requests. Oracle has released another patch for CVE-2017-10271 later. The details of the patch are as follows:

2 Analysis of the principle of loopholes

The CVE-2017-10271 vulnerability is mainly caused by the remote command execution vulnerability of the WebLogic Server WLS component, which is mainly triggered by wls-wsat.war. The trigger vulnerability url is as follows: http://192.168.xx.xx:7001/wls-wsat/CoordinatorPortType post packet, which constructs a request in SOAP (XML) format, resulting in a XMLDecoder deserialization vulnerability in the parsing process.

The test xml code is as follows:

Java reads the xml file to deserialize the command as follows, execute the relevant java code to execute calc, and open the calculator

The weblogic.wsee.jaxws.workcontext.WorkContextServerTube.processRequest method is as follows:

Bring localheader1 into readHeaderOld. The definition of localHeader1 is as follows:

LocalHeader1=localHeaderList.get (WorkAreaConstants.WORK_AREA_HEADER,true)

The readHeaderOld function is specified as follows to create WorkContextXmlInputAdapter (weblogic/wsee/jaxws/workcontext)

The WorkContextXmlInputAdapter class is as follows, where the conversion between entity and xml content is implemented through XMLDecoder, followed by XMLDecoder deserialization, which makes the content controllable when java calls xml.

Weblogic.wsee.jaxws.workcontext.WorkContextServerTube.processRequest

Weblogic.wsee.jaxws.workcontext.WorkContextTube.readHeaderOld

Weblogic.wsee.workarea.WorkContextXmlInputAdapter

3 vulnerability exploitation

There are many poc vulnerabilities about 10271 on the Internet. Here, simply record the way to use it. If you submit the poc through post, you can submit it successfully.

Access address http://***.***.131.128:7001/bea_wls_internal/test.jsp? You can make a command query.

You can refer to the github content for specific vulnerability exploitation methods.

4 repair suggestions

The loophole still has a great impact on many industries. As far as Shandong Province is concerned, a number of governments and institutions have also been used by attackers to implant malicious programs and put forward the following reinforcement suggestions:

Download the patch 10271 related to angular Oracle at the following http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Delete WebLogicwls-wsat components according to the actual environment path; restart weblogic after deleting related files to ensure access to wls-wsat/ prompts 404 error

Units that have been maliciously exploited for this vulnerability can view the log as follows, and the specific path can be viewed according to the actual installation situation:

Xx:\ xx\ Middleware\ user_projects\ domains\ base_domain\ servers\ AdminServer\ logs

After reading the above, do you know how to analyze the principle of CVE-2017-10271 vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.