CVE-2020-2555 PoC — Oracle Utilities Framework 代码问题漏洞

Source

https://github.com/Y4er/CVE-2020-2555

Associated Vulnerability

Title:Oracle Utilities Framework 代码问题漏洞 (CVE-2020-2555)
Description:Oracle Utilities Framework是美国甲骨文（Oracle）公司的一款应用程序框架累计功能工具。该工具可以轻松查找在两次发行之间添加到应用程序的功能。 Oracle Utilities Framework中的Coherence 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0 和 4.4.0.2.0版本的Caching,CacheStore,Invocation组件存在安全漏洞。攻击者可利用该漏洞控制Oracle Coherenc

Description

Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE

Readme

# CVE-2020-2555
Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE

com.supeream.CVE_2020_2555

```
/*
 * author:Y4er.com
 *
 * gadget:
 *      BadAttributeValueExpException.readObject()
 *          com.tangosol.util.filter.LimitFilter.toString()
 *              com.tangosol.util.extractor.ChainedExtractor.extract()
 *                  com.tangosol.util.extractor.ReflectionExtractor.extract()
 *                      Method.invoke()
 *                      ...
 *                      Runtime.getRuntime.exec()
 */
 ```

 # Require
 This only works in JDK 8u76 and WITHOUT a security manager, because of `BadAttributeValueExpException` in here:
 https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70
 And Please replace `coherence.jar` with your weblogic version, if not, you will get serialVersionUID inconsistent error.

 Only test on Centos jdk8u202 Weblogic 12.2.1.4.

![](https://user-images.githubusercontent.com/40487319/76184916-a6727200-6208-11ea-927a-938009ad54c1.gif)


 # Reference
 1. https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server
 2. https://www.youtube.com/watch?v=VzmZTYbm4Zw
 3. https://github.com/5up3rc/weblogic_cmd/

File Snapshot


 [4.0K]  /data/pocs/1686e849a131ad090877d8e946889f9bd7a41d73
├── [4.0K]  lib
│   ├── [ 13M]  coherence.jar
│   ├── [ 53K]  commons-cli-1.4.jar
│   ├── [546K]  commons-collections-3.1.jar
│   ├── [395K]  jsafeFIPS.jar
│   ├── [1.1K]  wlcipher.jar
│   └── [ 56M]  wlfullclient.jar
├── [1.0K]  LICENSE
├── [1.3K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  com
│   │   └── [4.0K]  supeream
│   │       ├── [3.8K]  CVE_2020_2555.java
│   │       ├── [8.6K]  Main.java
│   │       ├── [4.0K]  payload
│   │       │   ├── [1.1K]  PayloadTest.java
│   │       │   └── [3.0K]  RemoteImpl.java
│   │       ├── [4.0K]  serial
│   │       │   ├── [2.3K]  BytesOperation.java
│   │       │   ├── [1.1K]  Reflections.java
│   │       │   ├── [ 12K]  SerialDataGenerator.java
│   │       │   └── [ 987]  Serializables.java
│   │       ├── [4.0K]  ssl
│   │       │   ├── [1003]  SocketFactory.java
│   │       │   ├── [ 618]  TrustManagerImpl.java
│   │       │   └── [ 341]  WeblogicTrustManager.java
│   │       └── [4.0K]  weblogic
│   │           ├── [1.2K]  BypassPayloadSelector.java
│   │           ├── [ 819]  ObjectTest.java
│   │           ├── [4.8K]  T3ProtocolOperation.java
│   │           ├── [8.5K]  T3Test.java
│   │           └── [1.8K]  WebLogicOperation.java
│   ├── [4.0K]  META-INF
│   │   └── [  53]  MANIFEST.MF
│   └── [4.0K]  weblogic
│       ├── [4.0K]  jms
│       │   └── [4.0K]  common
│       │       └── [ 36K]  StreamMessageImpl.java
│       ├── [4.0K]  security
│       │   └── [4.0K]  utils
│       │       ├── [ 27K]  SSLSetup.java
│       │       └── [7.6K]  SSLTrustValidator.java
│       └── [4.0K]  socket
│           └── [6.6K]  ChannelSSLSocketFactory.java
├── [ 847]  weblogic_cmd.iml
└── [5.3K]  weblogic_t3.py

15 directories, 31 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!