Weblogic 2016-0638 analysis of Java Security
Weblogic 2016-0638 analysis of Java Security
Article starting prophet: Weblogic 2016-0638 analysis of Java Security
0x00 Preface
Continuing with the preliminary discussion of Weblogic's T3 protocol vulnerability in the previous article, we will talk about cve-2016-0638. Cve-2016-0638 is a bypass based on cve-2015-4852 vulnerability.
On the vulnerability of Weblogic T3 protocol in Java Security
0x01 environment construction
Patch environment construction
The last Weblogic environment is adopted here, but a patch package needs to be made here to bypass the cve-2015-4852 vulnerability after it is repaired.
The patch for cve-2015-4852 is p21984589_ 1036_ Generic did not find the patch package on the Internet, so it can only be downloaded through the official website. The official website download needs to purchase the corresponding service, so I found p20780171 here_ 1036_ Generic and p22248372_ 1036012_ Generic these two patches, p21984589_ 1036_ Generic is the integration of the two previous patches.
Because the previously built environment is a docker environment, you need to upload these two patch packages to the docker image, and then install them.
Command collation:
docker cp ../p20780171_1036_Generic weblogic1036jdk7u21:/p20780171_1036_Generic
docker cp ../p22248372_1036012_Generic weblogic1036jdk7u21:/p22248372_1036012_Generic
docker exec -it weblogic1036jdk7u21 /bin/bash
cd /u01/app/oracle/middleware/utils/bsu
mkdir cache_dir
vi bsu.sh 编辑MEM_ARGS参数为1024
cp /p20780171_1036_Generic/* cache_dir/
./bsu.sh -install -patch_download_dir=/u01/app/oracle/middleware/utils/bsu/cache_dir/ -patchlist=EJUW -prod_dir=/u01/app/oracle/middleware/wlserver/
cp /p22248372_1036012_Generic/* cache_dir/
./bsu.sh -install -patch_download_dir=/u01/app/oracle/middleware/utils/bsu/cache_dir/ -patchlist=ZLNA -prod_dir=/u01/app/oracle/middleware/wlserver/ –verbose
Restart the Weblogic service.
/u01/app/oracle/Domains/ExampleSilentWTDomain/bin/startWebLogic.sh
Here we can see that the payload of Weblogic 2015-4852 is called, and a file is not created as usual. Then it means that the patch has been applied and the vulnerability can be fixed. Here is the switching between jdk7u21 and CC1. The utilization chain is still unsuccessful.
Remote debugging
Next, you still need to copy the dependency package inside.
mkdir wlserver1036
mkdir coherence_3.7
docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/modules ./wlserver1036
docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/wlserver/server/lib ./wlserver1036
docker cp weblogic1036jdk7u21:/u01/app/oracle/middleware/coherence_3.7/lib ./coherence_3.7/lib
Let's bypass the patch.
0x02 patch analysis
Patch location:
weblogic.rjvm.InboundMsgAbbrev.class :: ServerChannelInputStream
weblogic.rjvm.MsgAbbrevInputStream.class
weblogic.iiop.Utils.class
Before analyzing the vulnerability, let's see how the patch of the last vulnerability point is repaired.
In fact, you can see the location of the resolveclass method. Add one more judgment in front of it.
We judged whether the classname is empty and whether the length of the classname is zero, but the focus is classfilter Isblacklisted method.
Here, first hit a cve-2015-4852 exp, hit a breakpoint at this position, track into the method, and see how to protect.
After you follow up, don't look at the following, because there is a static code block below. The code in the static code block takes precedence. You need to check the content of the static code block first.
Here are two judgments. Two methods are called in the judgment. Let's see the implementation of these two methods.
One is to judge whether it is Weblogic rmi. Disableblacklist, one is to judge whether it is Weblogic rmi. Disabledefaultblacklist is written in a strange way, probably because it is a class file.
If these two are judged to be true, the execution will proceed to the next step. Call updateblanklist to pass in a series of blacklist classes.
Updateblanklist this method, known from its name, is a method for adding blacklist to a HashSet. View the specific implementation.
Stringtokenizer construction method: constructs a string tokenizer for the specified string.
Hasmoretokens method: returns the same value as the hasmoretokens method.
NextToken method: returns the next token in the tokenizer string of this string.
The overall understanding is to construct a string, then traverse the value inside, and then call the processToken method to pass the value in.
See the processtoken method again.
It is judged that if the beginning is a + sign, the value after the first digit will be intercepted and added to the HashSet in the blacklist. If it is a - sign, it will be removed. If the beginning is not the previous + - sign, it will be directly added to the blacklist.
Here, the static code block has been analyzed. Generally speaking, it is a step to add some dangerous classes to the blacklist.
The blacklist is:
+org.apache.commons.collections.functors,+com.sun.org.apache.xalan.internal.xsltc.trax,+javassist,+org.codehaus.groovy.runtime.ConvertedClosure,+org.codehaus.groovy.runtime.ConversionHandler,+org.codehaus.groovy.runtime.MethodClosure
Return the classfilter The isblacklisted method is used for tracking
Finally, the contains method is called here to judge whether the pkgname exists in the blacklist. If it exists, it returns true.
When you return to the resolveclass method, you can see that this is true, and the exception will be thrown directly.
If it does not exist in the blacklist, it will call the resolveClass method of the parent class in the code block of the else branch.
This point is just a filtered point. Let's see what the filtered points are.
Let's look at the location of the next point msgabbrevinputstream
This is also where classfilter is called The isblacklisted method is the same as the previous one. and so on.
0x03 tool analysis
Weblogic is used in cve-2016-0638_ CMD tool, GitHub address.
Let's take a look at the implementation of the tool, and then talk about the way to bypass vulnerabilities.
After downloading the source code, import it into idea and configure command parameters.
If an error is reported here, sun cannot be found tools. For ASM package, tools Add the jar package manually. Here I use jdk1 6. If you use version 1.8, you will not find sun org. mozilla. javascript. internal. Definingclassloader class
Make a breakpoint in the main class for execution.
The previous codes are all for a configuration, and the breakpoint selection here falls in this method.
Select tracking
Continue tracking weblogicooperation Blindexecute method.
The server type was determined earlier, focusing on serialdatagenerator In the serialblinddata method, payload is generated by this method. Follow up to see how this method generates a payload.
First, select the tracking blindexecutepaylodatransformerchain method.
Here I see the familiar face, part of the code of CC chain.
Back to where you just left off, trace the serialdata method
Here you can see a piece of code behind the CC chain, which is combined into a CC1 utilization chain. However, bypasspayloadselector. Is called later The selectbypass method handles objects that should have been serialized directly in the native utilization chain.
Follow up the method to see.
There will also be calls to serializables Serialize, still track the innermost method first.
This passes in an obj object and an out object for serialization. The serialized data is then written to the out object.
After the execution is completed, the previous point is returned. The analysis just found that the returned data is the serialized data. Therefore, the parameters passed by calling the streammessageimpl method at are also serialized data.
Track view.
Inside is a Weblogic jms. common. StreamMessageImpl instance, then call the setDataBuffer method to transfer the serialized object and the serialized length.
After performing this step, return to this place
The latter method is used for serialization. Here, the instance object of streammessageimpl is serialized again. This method has been checked before, so I won't follow it here.
And finally came here.
The latter method is to construct specific data packets and send payloads using T3 protocol.
0x04 vulnerability analysis
Then, if we need to bypass, we need to find a class that creates its own InputStream object in the internal readObject method, but can't filter out the serverchannelinputstream and msgabbrevinputstream in the blacklist. Then we call the readObject method to de serialize, and then we can achieve a bypass effect.
Weblogic was found in the excavation of masters jms. common. Streammessageimpl#readexternal(), the readexternal method in the streammessageimpl class can receive serialized data as a parameter. When the readexternal of the streammessageimpl class is executed, it will deserialize the incoming parameter and call the readObject method of the corresponding class after the parameter is deserialized.
The bypass principle is as follows:
将反序列化的对象封装进了 StreamMessageImpl,然后再对 StreamMessageImpl 进行序列化,生成 payload 字节码。反序列化时 StreamMessageImpl 不在 WebLogic 黑名单里,可正常反序列化,在反序列化时 StreamMessageImpl 对象调用 readObject 时对 StreamMessageImpl 封装的序列化对象再次反序列化,这样就逃过了黑名单的检查。
Here's another question, Weblogic jms. common. How is the method streammessageimpl#readexternal () called? In the previous analysis of the native readObject method, it is found that the bottom layer of the readObject method will call many other methods.
After Weblogic obtains the class object of ordinary class serialized data from the serialized class byte segment in the traffic through readclassdesc readnonproxydes resolveclass, the program attempts to call the readObject, readresolve, readexternal and other methods in the class object in turn. Here readexternal will be called.
Then let's debug and analyze the vulnerability.
Or on Weblogic rjvm. InboundMsgAbbrev#ServerChannelInputStream. Place a breakpoint in resolveclass and use Weblogic_ CMD tool calls a payload to check the transmitted data first.
You can see that the obtained classname is Weblogic jms. common. Streammessageimpl object instead of annotationinvocationhandler object. Streammessageimpl is not in the blacklist. The judgment here will not throw exceptions.
The next breakpoint falls directly on streammessageimpl Follow it in readexternal.
Seeing the call stack, we fulfilled the streammessageimpl Readexternal call problem.
VAR4 here is the data after normal deserialization, and then an objectinputstream class will be passed in with the VAR4 parameter. Then call the readObject method
After this step, the command has been executed successfully. The following is a basic understanding of CC chain execution commands, which will not be repeated here.
Reference articles
https://xz.aliyun.com/t/8443#toc-6
https://www.anquanke.com/post/id/224343#h3-6
0x05 end
In fact, after touching a routine of the patch, it will be clearer to analyze the vulnerabilities based on the patch. Because the patch is nothing more than adding a blacklist from classfilter, which is why Weblogic repairs and explodes holes, and does not repair them from the root cause.