WebLogic 12.2.1.4.0 T3反序列化JNDI注入漏洞分析<\/h1>

漏洞概述<\/h2>
本漏洞是Oracle WebLogic Server 12.2.1.4.0版本中的一个JNDI注入漏洞，通过T3协议的反序列化机制实现远程代码执行。该漏洞利用了WebLogic Coherence组件中的`com.tangosol.util.extractor.UniversalExtractor<\/code>类，绕过了之前补丁对MvelExtractor<\/code>和ReflectionExtractor<\/code>类的黑名单限制。<\/p>`

影响范围<\/h2>

Oracle WebLogic Server 12.2.1.4.0<\/li>
<\/ul>
漏洞原理<\/h2>
漏洞入口<\/h3>
漏洞利用的入口与CVE-2020-2883相同，通过java.util.PriorityQueue<\/code>的反序列化过程间接调用com.tangosol.util.ValueExtractor<\/code>接口任意实现类的extract<\/code>方法。<\/p>
绕过补丁分析<\/h3>
在CVE-2020-2883修复中，Oracle将extract<\/code>方法存在危险操作的MvelExtractor<\/code>和ReflectionExtractor<\/code>两个类加入到了黑名单。本漏洞通过寻找另一个extract<\/code>方法存在危险操作且实现了ValueExtractor<\/code>接口的类来绕过补丁，即com.tangosol.util.extractor.UniversalExtractor<\/code>。<\/p>
UniversalExtractor分析<\/h3>
UniversalExtractor<\/code>类的关键部分：<\/p>
public<\/span> class<\/span> UniversalExtractor<\/span><<\/span>T,<\/span> E><\/span> extends<\/span> AbstractExtractor<<\/span>T,<\/span> E><\/span> 
<\/span><\/span>    implements<\/span> ValueExtractor<<\/span>T,<\/span> E>,<\/span> ExternalizableLite,<\/span> PortableObject {<\/span>
<\/span><\/span>    
<\/span><\/span>    protected<\/span> String m_sName;<\/span>       \/\/ 方法名
<\/span><\/span><\/span><\/span>    protected<\/span> Object[]<\/span> m_aoParam;<\/span>   \/\/ 参数
<\/span><\/span><\/span><\/span>    private<\/span> transient<\/span> boolean<\/span> m_fMethod;<\/span>
<\/span><\/span>    private<\/span> transient<\/span> TargetReflectionDescriptor m_cacheTarget;<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

m_fMethod<\/code>和m_cacheTarget<\/code>使用transient<\/code>修饰，无法通过序列化直接控制<\/li>
extract<\/code>方法有两种执行路径，取决于m_cacheTarget<\/code>是否为null<\/li>
<\/ol>
extract方法分析<\/h3>
extract<\/code>方法的关键逻辑：<\/p>

如果m_cacheTarget<\/code>不为null，则调用targetPrev.getMethod().invoke()<\/code><\/li>
否则调用extractComplex<\/code>方法<\/li>
<\/ol>
extractComplex<\/code>方法的关键逻辑：<\/p>
protected<\/span> E extractComplex<\/span>(<\/span>T oTarget)<\/span> throws<\/span> InvocationTargetException,<\/span> IllegalAccessException {<\/span>
<\/span><\/span>    String sCName =<\/span> this<\/span>.<\/span>getCanonicalName<\/span>();<\/span>
<\/span><\/span>    boolean<\/span> fProperty =<\/span> this<\/span>.<\/span>isPropertyExtractor<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>fProperty)<\/span> {<\/span>
<\/span><\/span>        \/\/ 处理属性提取
<\/span><\/span><\/span><\/span>        String sBeanAttribute =<\/span> Character.<\/span>toUpperCase<\/span>(<\/span>sCName.<\/span>charAt<\/span>(<\/span>0<\/span>))<\/span> +<\/span> sCName.<\/span>substring<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>        for<\/span>(<\/span>int<\/span> cchPrefix =<\/span> 0<\/span>;<\/span> cchPrefix <<\/span> BEAN_ACCESSOR_PREFIXES.<\/span>length<\/span> &&<\/span> method ==<\/span> null<\/span>;<\/span> ++<\/span>cchPrefix)<\/span> {<\/span>
<\/span><\/span>            method =<\/span> ClassHelper.<\/span>findMethod<\/span>(<\/span>clzTarget,<\/span> 
<\/span><\/span>                BEAN_ACCESSOR_PREFIXES[<\/span>cchPrefix]<\/span> +<\/span> sBeanAttribute,<\/span> clzParam,<\/span> false<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ 处理方法调用
<\/span><\/span><\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键限制：<\/p>

只能调用get<\/code>和is<\/code>开头的无参方法<\/li>
方法名不能以()<\/code>结尾<\/li>
参数数组必须为null或空<\/li>
<\/ol>
利用链构造<\/h3>
通过分析，构造利用链的关键步骤：<\/p>


第一次调用UniversalExtractor#extract<\/code>：<\/p>

调用getDatabaseMetaData()<\/code>方法（get<\/code>开头无参方法）<\/li>
使用com.sun.rowset.JdbcRowSetImpl<\/code>类<\/li>
<\/ul>
<\/li>

JdbcRowSetImpl.getDatabaseMetaData()<\/code>会调用this.connect()<\/code><\/p>
<\/li>

connect()<\/code>方法中通过this.getDataSourceName()<\/code>进行JNDI查找<\/p>
<\/li>
<\/ol>
利用条件：<\/p>

控制JdbcRowSetImpl<\/code>的dataSource<\/code>属性（可序列化）<\/li>
目标JDK版本需低于6u211、7u201或8u191（JNDI注入限制）<\/li>
<\/ul>
漏洞证明<\/h2>
由于Weblogic在JEP290机制下做的是全局反序列化过滤，而JNDI在JDK高版本依赖于本地Class的反序列化链，因此在Weblogic中JNDI注入只能影响以下JDK版本：<\/p>

JDK6u211之前<\/li>
JDK7u201之前<\/li>
JDK8u191之前<\/li>
<\/ul>
补丁分析<\/h2>
Oracle在补丁p31537019_122140_Generic.zip中：<\/p>

将com.tangosol.util.extractor.UniversalExtractor<\/code>加入黑名单<\/li>
过滤了com.tangosol.util.extractor<\/code>包下的其他几个类<\/li>
将com.tangosol.coherence.rest.util.extractor<\/code>、com.tangosol.internal.util.invoke.lambda<\/code>等包加入黑名单<\/li>
<\/ol>
防护建议<\/h2>

及时安装Oracle官方发布的安全补丁<\/li>
升级JDK到安全版本（6u211+\/7u201+\/8u191+）<\/li>
限制T3协议的外部访问<\/li>
使用WebLogic的网络安全配置限制不必要的服务暴露<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了即使在高版本WebLogic中，通过寻找新的可利用类仍然可以绕过已有的反序列化防护机制。安全研究人员需要持续关注反序列化利用链的新变种，而防御方则需要实施纵深防御策略，不仅依赖黑名单机制，还应考虑白名单控制、网络隔离等多层防护措施。<\/p>

WebLogic 12.2.1.4.0 T3反序列化JNDI注入漏洞分析<\/h1>

漏洞原理<\/h2>

漏洞入口<\/h3> 漏洞利用的入口与CVE-2020-2883相同，通过java.util.PriorityQueue<\/code>的反序列化过程间接调用com.tangosol.util.ValueExtractor<\/code>接口任意实现类的extract<\/code>方法。<\/p>

漏洞入口<\/h3>
漏洞利用的入口与CVE-2020-2883相同，通过`java.util.PriorityQueue<\/code>的反序列化过程间接调用com.tangosol.util.ValueExtractor<\/code>接口任意实现类的extract<\/code>方法。<\/p>`