Tag :
Introduction
WebLogic, from Oracle, is a Java application server for developing, integrating, deploying, and managing large-scale distributed Web applications, network applications, and database applications. WebLogic started are the first commercially successful Java (J2EE) application server and is still one of the leaders in the marketspace.
This is a technical analysis of how the WebLogic Remote Code Execution (CVE-2020-2551) vulnerability is exploited.
Summary
WebLogic Remote Code Execution (CVE-2020-2551) can bypass the security patch released by Oracle in Oct 2019. The IIOP accesses remote objects through a Java interface which is enabled by default. The attacker can remotely access this interface without authentication on the WebLogic Server through IIOP, send carefully constructed data and execute arbitrary code on the target server. CVSS score is 9.8.
Analysis
Using WebLogic 10.3.6.0 as the vulnerability environment for analysis, when sending deserialized data to the server through the IIOP protocol, we can see our incoming IIOP data in the parameters of WebLogic.iiop.MuxableSocketIIOP.dispatch.
Next, we call the handleRequest () method in the run () method in the WebLogic.rmi.internal.wls.WLSExecuteRequest class
In the handleRequest () method, there is the runAS () method, and the invoke () method in the WebLogic.rmi.cluster.ClusterableServerRef class can be called through the invoke () method.
We can call the invoke () method in the WebLogic.corba.idl.CorbaServerRef class using the above method.
First, the code will determine whether the link exists, if not, the code will directly throw an exception. After that, it will determine whether var4.getmethod () is empty. If yes, it will call the delegate._invoke () method.
Since var4 type is bind_any (), and objectMethods do not include this type, it enters delegate._invoke () method.
Since the value corresponding to bind_any is 0, it will enter the code branch of case 0 later.
Calling the read_any () method will eventually enter the read_value_internal () method in the WebLogic.corba.idl.AnyImpl class and call the read_value () method for deserialization.
In the WebLogic.iiop.IIOPInputStream.read_value () method, the instance of the class passed in the IIOP data is obtained through deserialization.
After that, WebLogic.corba.utils.ValueHandlerImpl.readValueData () method will be called to read the content.
We enter the com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager class through this.readObjectMethod.invoke () method.
We enter the initUserTransactionAndTransactionManager () method, load the malicious file on the remote server through jndi addressing, and execute arbitrary code.
At this point, the attack is successful.
Verification
We built a WebLogic 10.3.6.0 environment with the vulnerability, then constructed malicious deserialized data, and sent it to the target server through IIOP. When the target server parses the deserialized data, it triggered the execution of malicious code on opened the calculator app:
Impact
Affected Versions:
WebLogic Server 10.3.6.0.0
WebLogic Server 12.1.3.0.0
WebLogic Server 12.2.1.3.0
WebLogic Server 12.2.1.4.0
TimeLine
• Jan 15, 2020 Oracle released a critical key patch fixing remote code execution vulnerability CVE-2020-2551.
• Jan 15, 2020 Sangfor Far Sight Labs released an advisory alert for this vulnerability.
• Mar 13, 2020 Sangfor Far Sight Labs reproduced the vulnerability and released technical analysis and solution recommendations.
Solution
Remediation Solution
1. Oracle has released an official patch for fixing this vulnerability. Please refer to https://www.oracle.com/security-alerts/cpujan2020.html
2. The exploitation of the vulnerability can be temporarily be mitigated by closing the IIOP. To close IIOP perform the following:
• In the WebLogic console, select " Services " > "AdminServer" > " Protocol " and uncheck " Enable IIOP".
• Restart the WebLogic project to apply the configuration.
Sangfor Products Mitigation Solution
• For Sangfor NGAF customers, make sure that the NGAF security protection rules up to date.
• Sangfor Cloud WAF automatically updates its threat database immediately. Users are automatically protected from new high risk vulnerabilities.
• Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.
• Sangfor SOC has Sangfor security consultants available 24*7 to help you with any security issues. Sangfor’s security experts will scan customer network environments regularly to ensure that the customer's server is free from this vulnerability. For users that have this vulnerability, our team will review and update device policies to ensure protection against this vulnerability.