preface
The Coherence component is a core component built into WebLogic. Official data on Coherence components: https://www.oracle.com/cn/java/coherence/
Weblogic Coherence deserialization vulnerabilities have been exposed frequently in recent years, and there is no summary of webLogic Coherence deserialization vulnerabilities published online. For those of you who want to get started or know about WebLogic Coherence component deserialization vulnerabilities, this article summarizes and analyzes the history of WebLogic Coherence component deserialization vulnerabilities.
I’ve divided the architecture of the Coherence component deserialization exploit chain into two: ValueExtractor. Extract based exploit chain and ExternalizableHelper based exploit chain.
Front knowledge
Understanding WebLogic’s Coherence component history deserialization vulnerabilities requires first understanding some of the interfaces and classes that are commonly involved in Coherence component deserialization vulnerabilities. They show up frequently in the Coherence component deserialization exploit.
ValueExtractor
Com. Foundation. Util. ValueExtrator is an interface:
Many of the names in Coherence areExtratorThe closing classes all implement this interface:
This interface declares an extract method and ValueExtractor. Extract is the key to the Coherence component history vulnerability (part of the ValueExtractor. Extract chain).
ExternalizableLite
There is one in the Coherence componentcom.tangosol.io.ExternalizableLiteIt inheritedjava.io.Serializable, in addition to the statementreadExternal 和 writeExternalThese two methods.
Com. Foundation. IO. ExternalizableLite interface and native Java JDK. IO. Externalizable, careful not to confuse.
ExternalizableHelper
. The above mentioned com. Foundation. IO ExternalizableLite interface implementation class serialization and deserialization operations, are done through ExternalizableHelper this class.
We can see concrete ExternalizableHelper. This class is how to realize the com foundation. IO. ExternalizableLite serialization and deserialization of the class of the interface, here in readObject methods, for example, WriteObject readers can check it out:
If incoming DataInput not PofInputStream (Coherence ExternalizableHelper loopholes in history involves components. The readObject incoming DataInput is not PofInputStream), the ExternalizableHelper#readObject method is called:
ReadObjectInternal will enter a different branch based on the nType passed in:
To realize the com. Foundation. IO. ExternalizableLite interface object, will enter the readExternalizableLite method:
You can see that line 1125 in readExternalizableLite loads a class by class name, then instantiates an object of that class, and then calls its readExternal() method.
Vulnerability chain
ValueExtractor.extract
When analyzing the deserialization utilization chain, we can divide the chain into four parts: one is the chain head, one is the dangerous intermediate node (vulnerability point), the other is the place where the dangerous intermediate node is called (trigger point), and the last is the end of the chain that uses this node to cause harm.
This dangerous intermediate node in the Coherence component ValueExtractor. Extract utilization chain architecture is the ValueExtractor. Extract method.
Leak point
ReflectionExtractor
ReflectionExtractorIn theextractMethods contain reflective calls to methods on any object:
With the ChainedExtractor and ConstantExtractor, a transform chain like cc1 can be called.
Involved in CVE
CVE – 2020-2555, CVE – 2020-2883
MvelExtractor
MvelExtratorIn theextractMethod executes any MVEL expression (RCE) :
During serialization and deserialization, m_sExpr participates in the serialization and deserialization:
Therefore, m_xExpr can be controlled, so mvelextrator. extrator can be used to execute arbitrary commands.
Involved in CVE
CVE-2020-2883
UniversalExtractor
The extract method in the UniversalExtractor (unique to Weblogic 12.2.1.4.0) can be used to call the get and IS no-argument methods of any class. It can be used with the jdbsRowset. Use JDNI to remotely load malicious classes to achieve RCE.
Involved in CVE
CVE-2020-14645,CVE-2020-14825 , CVE-2020-14841
LockVersionExtractor
oracle.eclipselink.coherence.integrated.internal.cache.LockVersionExtractorIn theextract()Method can be called at any timeAttributeAccessor 的 getAttributeValueFromObjectMethod, assign valuesAccessor 为 MethodAttributeAccessorIn turn, it is possible to invoke parameterless methods of any class.
MethodAttributeAccessor.getAttributeValueFromObjectThe essence is to useMethodAttributeAccessor.getAttributeValueFromObjectAny parameterless method call exists in, which is also used in CVE-2021-2394.
Involved in CVE
CVE – 2020-14825, CVE – 2020-14841
FilterExtractor.extract
filterExtractor.extractThere is anyAttributeAccessor.getAttributeValueFromObject(obj)That assigns the value this.AttributeAccessor to the aboveMethodAttributeAccessorCan result in a call to any parameterless method.
Involved in CVE
CVE-2021-2394
Trigger point
The above example shows a number of dangerous valueExtractor.extract methods, so let’s look at where there are calls to valueExtractor.extract methods.
Limitfiler
Limitfiler = limitFiler.toString = valueExtractor. extract = Limitfiler = limitFiler.toString
Since this.m_Comparator participates in serialization and deserialization, it is controllable:
We can invoke any valueExtractor.extract method simply by assigning the value this.m_Comparator to malicious ValueExtractor. The toString method, is used in CC5 BadAttributeValueExpException can be used to trigger.
Involved in CVE
CVE-2020-2555
ExtractorComparator
ExtractorComparator.com pare said, it is in view of the bypass CVE – 2020-2555 patch, the method of repairing CVE – 2020-2555 modified Limitfiler. ToString method, That is, there is a change in where the valueExtractor.extract method is called. While CVE – 2020-2883 found another call ValueExtractor. Extract, namely ExtractorComparator.com pare said.
In ExtratorComparator.com in any pare said (because this. M_extractor serialization and deserialization) ValueExtractor extract method call.
The Comparator.compare method can be triggered by the priorityQueue.readObject ‘used in CC2.
In addition in weblogic, BadAttributeValueExpException. Can also be implemented in readObject calling any method of pare said: compartor.com
Involved in CVE
Cve-2020-2883, fixed by adding ReflectionExtractor and MvelExtractor to the blacklist.
CVE – 2020-14645 using com. Foundation. Util. Extractor. UniversalExtractor bypass, will join the blacklist UniversalExtractor repair method.
CVE – 2020-14825. CVE – 2020-14841 with oracle. Eclipselink. Coherence. Integrated.. Internal cache. LockVersionExtractor. LockVersionExtractor to bypass.
ExternalizableHelper
When analyzing the ExternalizableHelper exploit chain architecture, we can still divide the chain into four parts, one is the head of the chain, one is the dangerous intermediate node (vulnerability point), another is where the dangerous intermediate node is called (trigger point), and the last is the end of the chain that uses this node to cause harm.
In ExternalizableHelper use chain architecture, the danger of the intermediate node is ExternalizableLite. ReadExternal method.
Weblogic for deserialization of filtration is carried out when the class is loaded, so in ExternalizableHelper. ReadExternalizableLite loaded the class is not restricted by the blacklist.
The reason is that the WebLogic blacklist is based on JEP 290. Jep 290 checks whether the class to be deserialized is in the blacklist after getting the class name in readObject. In this case, the loadClass is used directly to load the class, so it is not restricted by the WebLogic blacklist. Jep 290 is for blacklisting classes to be loaded during deserialization. Here through loadClass loading directly, not through the deserialization, and deserialization are two different things, of course, in the subsequent readExternal or restricted by weblogic blacklist, because walking is deserialize the set)
Leak point
PartialResult
Com. Foundation. Util. Aggregator. TopNAggregator. PartialResult readExternal will trigger any compartor.com pare said method.
General principles:
Line 182 passes the Comparator as an argument to the Constructor of TreeMap. Then on line 186, we call this.add, which calls the this.m_map.put method, which means that TreeMap's put method is called, which results in a call to comparator.compare().Copy the codeThen call pare said comparator.com can receive ExtractorComparator.com pare said there, so as to realize the rce.
Involved in CVE
Cve-2020-14756 (January)
The use of ExternalizableHelper first appeared in CVE-2020-14756. It is the deserialization of the ExternalizableHelper that is used to load the class via loadClass, so it is not limited by the blacklist that WebLogic previously set.
The cVE-2020-14756 fix is to check the Datainput passed to readExternalizable, and to call checkObjectInputFilter() if it is an ObjectInputStream. The checkObjectInputFilter is checked through jEP290.
Cve-2021-2135 (April)
The above fix only checks if the DataInput is an ObjectInputStream, but does not filter any other DataInput types.
All we have to do is find some other place to call readExternalizableit and pass in an argument other than ObjectInputStream. ReadObject =>readObjectInternal =>readExternalizableite So it’s possible that the patch will only notice the ObjectInputStream case.
So the cVE-2021-2135 bypassing method is to set the parameter type of readExternalizableite to BufferInput.
There are two places in the ExternalizableHelper where readObjectInternal is called. One is readObjectInternal and the other is deserializeInternal. DeserializeInternal converts DataInput to BufferInut:
So just find the place to call externalizableHelper.deserializeInternal.
And ExternalizableHelper. FromBinary (and ExternalizableHelper readObject level) is invoked in the deserializeInternal, So you just need to find a place to use to ExternalizableHelper fromBinary to deserialize can be connected to the back of the (CVE – 2020-14756) using the chain.
And is looking for a call ExternalizableHelper fromBinary method. SimpleBinaryEntry getKey and exist in the getValue method in ExternalizableHelper. FromBinary call, so I just find a place to call getKey and getValue.
Then in com.sun.org.apache.xpath.internal.objects.XString rewrite equals method calls tostring, call getKey method in the tostring.
ExternalizableHelper#readMap calls map.put, which calls equals.
Com. Foundation. Util. Processor. ConditionalPutAll readExteranl invokes the ExternalizableHelper# readMap method.
And then put it back onAttributeHolderThe end of the chain will do.
The April bug fixes were:
1. Add simpleBianry to the blacklist.
2. Set the whitelist:
private static final Class[] ABBREV_CLASSES = new Class[]{String.class, ServiceContext.class, ClassTableEntry.class, JVMID.class, AuthenticatedUser.class, RuntimeMethodDescriptor.class, Immutable.class};
Copy the codefilterExtractor
FilterExtractor. ReaExternal method of readAttributeAccessor () method will be new a MethodAttributeAccessor object directly.
Then in filterExtractor. The extract function will call because of this. AttributeAccessor. GetAttributeValueFromObject leading to no any method calls refs.
Involved in CVE
Cve-2021-2394 (April)
In the April patch, the DataInput stream of ois was filtered, so direct instantiation of malicious classes via newInstance has been prevented (CVE-2021-2135 is bypassing via bufferinputStream), So we need to look for other readExternal methods that are not in the blacklist.
CVE – 2021-2394 is in the use of filterExtractor readExternal for breakthrough.
Trigger point
ExternalizableHelper. ReadExternal trigger points have ExternalizableHelper. ReadObject and ExternalizableHelper fromBinary these two. The CVE – 2021-2135, because the method of repairing in CVE – 2020-14756, only noticed ExternalizableHelper. ReadObject, Only in ExternalizableHelper. ReadObject made limits inside, but not consider ExternalizableHelper. FromBinary leading to a bypass.
ExternalizableHelper. ReadObject can use com. Foundation. Coherence. Servlet. AttributeHolder to trigger, Com. Foundation. Coherence. Servlet. AttributeHolder implements the Java IO. Externalizabe interface, And his readExternal method calls the ExternalizableHelper. ReadObject (in).
ExternalizableHelper. FromBinary triggers are more complicated
Afterword.
Many webLogic Coherence deserialization vulnerabilities are related, and for a particular vulnerability it is likely to be a chain of previous vulnerabilities. In fact, not only WebLogic, but also other Java deserialization chains, in many cases one chain will use a part of the other chain. Therefore, in the study, it is important to summarize and analyze the vulnerabilities of a component or a library. Finally, I hope this article can help other friends who learn deserialization together.