Oracle WebLogic Server – JNDI Tree Second-Order Code Injection

 JNDI_Tree

Hi Everyone, today i want to share with you a post about a vulnerability i’ve discovered times ago, it was already fixed by the vendor. So before i get started i’ll explain first what is a second-order code injection mostly code injection vulnerabilities.

Code Injection is a type of exploitation caused by processing invalid data input. The concept of injection attacks is to introduce (or “inject”) malicious code into a program so as to change the course of execution. Such an attack may be performed by adding strings of malicious characters into data values in the form or argument values in the URL. Injection attacks generally take advantages of inadequate validation over input/output data, for example:

  • – Lack of defining a class of allowed characters (such as standard regular expressions or custom classes)
  • – Lack of restricting the data format.
  • – Lack of checking the amount of expected data (such as maximum length restriction)
  • – Lack of restricting the data type (such as numerical input only)

In this form of injection attack, the attackers introduce improper scripts into the web browsers. The technique is most often used to inject JavaScript, VBScript, ActiveX, HTML, Flash or any other types of codes that web browsers may execute. Once the injection is successfully performed, hackers can carry out a variety of malicious attacks including account hijacking, changing of user settings, cookie theft, poisoning, Cross-Site Request Forgery or false advertising.

-Second-order code injection :
Second-order code injection is the realisation of malicious code injected into an application by an attacker, but not activated in real-time by the application. In a lot of cases, the victim of the attack may not even be using the same application that the attacker injected their code.


I – Weakness Analysis :

The Code injection vulnerability reside in the Weblogic Server Administration Console (JNDI Tree Structure ). After testing on this platform i realized that i’m able to inject any strings into “server” parameter value. So i injected strings of malicious payloads (javascript/php/Ajax…) into the argument value in the following URI :
-[ /consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=(MALICIOUS_CODE) ] and it was a successfull injection, i can execute any code passed to the argument value.

Let’s look more deeper to identify the source of this issue, If we check “tree.js” we find actually that we can ovewrite/corrupt 3 TreeNode() function parameters.
When we take a look at the code *(1-1) we realize that TreeNode function it’s created as a “JSTree” class object, once all arguments are set the JNDI Tree is created by the function createTree(startNode) then we add new nodes in the previous tree with the function addNode(parentNode, recursedNodes) if the “nodeName” is valid. Therefore any attacker can take advantages of this inadequate validation over input/output data. The link above mention the main functions/methods that are processing and building the tree, its content and identifying the vulnerable parameters. (*Check the link )

Difference between the application behaviour in the (1-1) and (1-2) cases :

Actually Dynamic Analysis of data flow and tracking the execution of some functionalities such as ( Tree creation, Add new node, Expand/ collapse operation, Methods used to build JNDI tree,..etc.) helped me to identify the source of this weakness. The following link shows how to recognize the application behaviour in 2 statements, normal and in case of injecting a malicious code :

III – Exploitation :

In order to exploit this vulnerability an attacker can use several ways to inject a payload and execute arbitrary codes. Furthermore there is a possibility to interact with the environment, gain control of JSTree Class objects and the possibility to access an object in a WebLogic Server environment.

  1.  Session Control : Suppose now that we use the void()(returns a null value to the web browser) JavaScript function instead of alert(). We could change the DOM values inside this function and no navigation change state would occur. Oracle Weblogic server use “ADMINCONSOLESESSION” as a session main cookie, so if we start a new navigation to the same website in another browser instance, we’ll get a new “ADMINCONSOLESESSION”; we could change the session IDs in both instances by this payload : javascript: void(document.cookie=”ADMINCONSOLESESSION = <<another session ID>>”);
  2. XSS Shell.
  3. Phishing Attacks :Using Javascript, CSS or HTML an attacker can trick the victim to log in. The basic concept is to override the HTML of the current page to look identical to the login page. Little does the victim know, his credentials are sent to the attacker instead of to the website when trying to log in.  An attack vector for this kind of attack :
  1. Framework-based attacks :-Different attacks/exploitation could be provided with the help of a framework like BeEF, XSSF.

 

  1. Cross-Site Scripting Worms & Viruses : Using an application to host the malware code, triggers the purpose of second-order code injection issues, XSS worms and viruses take control over a Web browser and propagate by forcing it to copy the malware to other locations on the Web to infect others. XSS malware payloads could force the browser to send email, transfer money, delete/modify data, hack other websites, download illegal content, and many other forms of malicious activity. XSS exploits, typically HTML/JavaScript, use three ways to force browsers to send remote HTTP requests: Embedded HTML Tags, JavaScript DOM Objects, XMLHTTPRequest (XHR).XSS worm functions example :

-Access to local files from browser/ Screen-captures and send data to attacker :

So guys by this we come up to the end of this article,

See you soon, stay tuned 🙂

Best regards.

About

Follow me on twitter : https://twitter.com/r007hunt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.