Synopsis
Back in November of 2015, WebLogic was patched by Oracle to disallow deserialization of some dangerous Java objects. Oracle achieved this by blacklisting these specific packages:
- org.apache.commons.collections.functors
- com.sun.org.apache.xalan.internal.xsltc.trax
- javassist
- org.codehaus.groovy.runtime.ConvertedClosure
- org.codehaus.groovy.runtime.ConversionHandler
- org.codehaus.groovy.runtime.MethodClosure
This protected WebLogic from the original ysoserial serializable payloads like CommonCollections1 and Groovy1. Furthermore, this successfully protected WebLogic from new ysoserial payloads like CommonCollection3 (released in February 2016). However, it does not protect WebLogic from all payloads.
RMI Connect Back
On February 24, 2016 the Jenkins build server project released a security advisory. One of the vulnerabilities, SECURITY-232 aka CVE-2016-0788, indicated that it was possible for an unauthenticated remote attacker to open a JMRP (Java Remote Method Protocol) listener which allowed for remote code execution. JRMP is used in conjunction with RMI (Remote Method Invocation). RMI is great for a deserialization attack since the communication is built around the serialization and deserialization of objects. Research into how CVE-2016-0788 works yielded two interesting finds.
The first was a full implementation of that attack in Jenkins’ unit tests. The second interesting find was that the researcher credited with CVE-2016-0788, Moritz Bechler, forked ysoserial and published a number of new/undisclosed payloads.
In the case of WebLogic, we are interested in yososerial's JRMPListener.java payload. This serializes a RemoteObjectInvocationHandler which uses a UnicastRef object to establish a TCP connection to a remote server in order to get at the remote server's RMI registry. This connection uses JRMP so the client will deserialize whatever the server responds with, achieving unauthenticated remote code execution.
Exploiting WebLogic
To demonstrate the issue to ZDI and Oracle, Tenable created two scripts. The first script is a server that listens for the callback, called jrmp_listener.py. When the connect back connects to jrmp_listener.py it will send a CommonCollections3 payload in response which will trigger the RCE on WebLogic. The second script sends the serialized object to WebLogic via t3 on TCP port 7001 (just like the original FoxGlove attack), called jrmp_connect_back.py. In order to exploit WebLogic, jrmp_listener.py must be executed before jrmp_connect_back.py. The result of the exploitation will cause the connect back, which exists on its own thread, to be executed multiple times (which means an attacker could deliver multiple payloads).
Solution
Oracle has released WebLogic 12.2.1.2 to address this vulnerability.
Additional References
http://www.zerodayinitiative.com/advisories/ZDI-17-055/http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team