Oracle WebLogic CVE-2018-2628 Remote Code Execution

Authors:Nsfocus Liao Xinxi    Risk:Critical

CVE:CVE-2018-2628            0day:Remote Code Execution

0day-id:0DAY-2628             Date:2018-04-20

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

Impact version

Weblogic 10.3.6.0

Weblogic 12.1.3.0

Weblogic 12.2.1.2

Weblogic 12.2.1.3

Exploit

The first step is to send PoC for testing. The address of the remotely connected server in the PoC is the server used in the second step. The attack IP is the T3 service on port 7001 of 192.168.3.103. The service will unpack the object structure and pass it. A step-by-step readObject goes to port 1099 on the second server requesting maliciously encapsulated code and then popping the calculator locally

The second step is to enable ysoserial.exploit.JRMPListener on the remote server. The JRMPListener will send the payload containing the malicious code back to the requester.

Looking at the WebLogic log, you can see the following error, the calculator has been popped up at this time:

Analysis

Weblogic has already added blacklists to the Internet’s exposed PoCs. If you want to bypass the limitations of his blacklist, you can only construct it yourself. Take a look at the implementation of resolveProxyClass in InboundMsgAbbrev. The resolveProxyClass handles the RMI interface type. It only judges the java.rmi.registry.Registry. In fact, you can easily find an RMI interface to bypass it.

protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
   String[] arr$ = interfaces;
   int len$ = interfaces.length;

   for(int i$ = 0; i$ < len$; ++i$) {
      String intf = arr$[i$];
      if(intf.equals("java.rmi.registry.Registry")) {
         throw new InvalidObjectException("Unauthorized proxy deserialization");
      }
   }

   return super.resolveProxyClass(interfaces);
}

In fact, the core part is the JRMP (Java Remote Method Protocol). In this PoC, a RemoteObjectInvocationHandler will be serialized. It will use UnicastRef to set up a TCP connection to the remote to obtain the RMI registry, load it back, and then use readObject to resolve, resulting in deserialization of remote code. carried out.

Timeline

2017/7/19: Finding problems

2017/11/23: Report to Oracle official

2017/11/29:Oracle official acceptance

2017/11/30:Oracle Official Assigns Bug Number (S0947640), Officially Enters Mainline Version Fix

2017/11/30: Ask for company domain name email

2018/4/14: Assigning CVE, CVE-2018-2628

2018/4/17: Post a patch

Reference

https://github.com/jas502n/CVE-2018-2628

Leave a Reply