Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze WebLogic EJBTaglibDescriptor XXE vulnerabilities. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

This vulnerability is similar to several XXE vulnerabilities previously submitted by @ Matthias Kaiser, but EJBTaglibDescriptor should be the missing one, as you can refer to the previous XXE analysis. Master @ Badcode and I decompiled all of WebLogic's Jar packages and searched based on the characteristics of previous XXE vulnerabilities to match this EJBTaglibDescriptor class, which also parses XML when deserialized.

Environment

Windows 10

WebLogic 10.3.6.0.190716 (July 19 patch installed)

Jdk160_29 (JDK that comes with WebLogic)

Loophole analysis

Weblogic.jar!\ weblogic\ servlet\ ejb2jsp\ dd\ EJBTaglibDescriptor.class this class inherits from java\ io\ Externalizable

Therefore, writeExternal and readExternal overridden by subclasses are automatically invoked during serialization and deserialization.

Look at the logic of writeExternal and the logic of readExternal.

In readExternal, you use ObjectIutput.readUTF to read the String data in the deserialized data, and then call the load method

In the load method, DocumentBuilder.parse is used to parse the XML data passed in the deserialization, so there may be a XXE vulnerability here.

In writeExternal, you call your own toString method, and then you call your own toXML method.

The role of toXML should be to convert this.beans into corresponding xml data. It seems a bit troublesome to construct the payload, but the serialization can be controlled by the attacker, so we can directly modify the logic of the writeExternal to generate malicious serialization data:

Loophole recurrence

Rewrite the writeExternal function in EJBTaglibDescriptor to generate payload

Send payload to the server

Our HTTP server and FTP server received requests from my.dtd and data from win.ini

You can see the error message on the server with the latest July patch.

On how to carry out WebLogic EJBTaglibDescriptor XXE vulnerability analysis to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.