Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild
May 11, 2020 | Guest UserEarlier this year, I blogged about a deserialization vulnerability in the Oracle WebLogic Server. This was patched by Oracle and assigned CVE-2020-2555. However, researcher Quynh Le of VNPT ISC submitted a bug to the ZDI that showed how the patch could be bypassed. This bug, labeled CVE-2020-2883, is now being reported by Oracle as being used in active attacks. In this blog post, we will go through the details of this recently-patched vulnerability.
Patch Bypass
The original patch for CVE-2020-2555 did not address the lower portion of the following gadget chain:
Any ability to invoke ChainedExtractor.extract() will still result in remote code execution. The report from Quynh Le shows that it is still possible to reach ChainedExtractor.extract() via the ExtractorComparator and AbstractExtractor classes.
Let’s start by looking at the compare() method of ExtractorComparator:
As shown above, it is still possible to invoke ChainedExtractor.extract() by setting this.m_extractor to an instance of ChainedExtractor .
Similarly, the compare() method of the AbstractExtractor abstract class could also be used.
The MultiExtractor class extends AbstractExtractor and can be used to reach ChainedExtractor.extract():
The Full Gadget Chain
In order to develop a full gadget chain, we need the ability to call compare() method of an arbitrary Comparator from readObject().
The publicly documented method of doing this is using the PriorityQueue class as shown by the following ysoserial gadgets: BeanShell1, Jython1, CommonsCollections2, CommonsBeanutils1, CommonsCollections4 and Groovy1:
SiftUpUsingComparator() can invoke the compare() method of an arbitrary Comparator:
There are also other methods of accomplishing this. For example, the following method was used by the submitter:
In summary, the toString() method of the Mutations class could result in a call to ConcurrentSkipListMap.size():
From ConcurrentSkipListMap.size(), it is possible to invoke the compare() method of an arbitrary Comparator.
Demonstrating the Gadget Chains
By using the above methods, the following full gadget chain was constructed for the ExtractorComparator case:
The following video demonstrates this gadget chain being used to gain RCE via the T3 protocol.
And for the AbstractExtractor example, the following chain was used:
The following video demonstrates this gadget chain being used to gain RCE via the T3 protocol:
Exploiting these vulnerabilities over HTTP:
It should be noted that this vulnerability is in the Coherence library. Any application with the Coherence library in its code path where there is a path to deserialization is also vulnerable. One example is Oracle Business Intelligence, which is deployed on Oracle WebLogic.
It is possible to use these gadget chains against CVE-2020-2950/ZDI-20-505, which was reported to the ZDI by a researcher named GreenDog, to achieve remote code execution via HTTP.
This vulnerability resides in BIRemotingServlet, which listens on port TCP port 7780 and does not require any authentication:
BIRemotingServlet uses AMF (Action Message Format) to communicate with a client.
As shown, when the AMF packet is deserialized, arbitrary objects may be reconstructed in AMF3ObjectInput via a call to readComplexObject().
In this example, a UnicastRef object is reconstructed resulting in a call to the server-side distributed garbage collector for a remote object, allowing us to respond with an arbitrary serialized object. Responding with one of the gadget chains as described above results in an RCE.
For more details of exploitation Java Deserialization in Java AMF implementations, refer to this post from Code White. The gadget chains were added to ysoserial, and its JRMP listener was used to exploit this vulnerability. The following video demonstrates this in action:
Conclusion
For further details regarding Java deserialization vulnerabilities, refer to this white paper from Moritz Bechler. Oracle’s blog does not state how widespread the attacks are, but their guidance is clear: patch now. They also offer guidance on how to restrict the T3/T3S protocol traffic for Oracle WebLogic Server. The next release for Oracle patches is scheduled for July 14, 2020. We’ll see how many deserialization bugs remain after that update.
You can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.