Loubia (https://github.com/metalnas/loubia) is a python script that achieves remote code execution on t3 enabled backends. This is possible thanks to (or because of) the Java Deserialize vulnerability.
If you're wondering what's the Java Deserialize vulnerability, either you stumbled here searching for beans food, or you've been living in a cave (a Faraday cave obviously) for the last few months if not years. Anyway, i recommend this excellent post that explains the whole thing in details http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Basically, deserializing untrusted serialized java objects is bad...very bad, especially when you have in your classpath a serializeable java class that can be leveraged to execute arbitrary code. This happens to be exactly the case for Weblogic servers (one of many) with exposed t3 handler. The folxgloves security post provides an exploitation script for t3 but i found it quickly limited for a frequent usage during pentest:
No need to to generate the payload separately. A malicious t3 packet is hard coded and is modified on the fly:
The used t3 packet is the first one sent when performing a ping using weblogic.jar:
java -cp weblogic.jar weblogic.Admin -adminurl t3://host:port -username weblogic -password weblogic PING
This packet is sent after the t3 handshake and is composed of four serialized java objects. The third object (starting at byte 750) is replaced with the malicious object (replacing the others doesn't seem to work).
The original payload (malicious serialized java object) was generated using a modified version of ysoserial (https://github.com/frohoff/ysoserial).
By default ysoserial does not allow the use of redirections or pipes in the payload.
Below is the help of Loubia showing its awesome functionalities:
In case of a linux target located in a DMZ with impossibility to open a port or to join our IP, the option "-w" or "--webshell" comes to the rescue. Indeed, when t3 is enabled the weblogic console is often accessible. When the "-u"/"--url" option is not used, a find is launched on the file "dashboard-min.css" and the file "dashboard-min.css_.jspx" is created. If everything goes well, the webshell will be accessible at (http://HOST:PORT/console/css/dashboard-min.css_.jspx). Why jspx ? unlike jspx, jsp files added at runtime aren't compiled before restart by Weblogic. The "-u" or "--url" option allows specifying a custom URL. For example, "-u 'http://HOST:PORT/appli/index.jsp'" causes the find to be launched on the "index.jsp" file and the webshell created at "http://HOST:PORT/appli/index.jsp_.jspx".
Possible evolutions:
Loubia is by definition perfect. Still, out of modesty i can consider some enhancements:
0.0.0.0/0 * * deny t3 t3s
If you're wondering what's the Java Deserialize vulnerability, either you stumbled here searching for beans food, or you've been living in a cave (a Faraday cave obviously) for the last few months if not years. Anyway, i recommend this excellent post that explains the whole thing in details http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
Basically, deserializing untrusted serialized java objects is bad...very bad, especially when you have in your classpath a serializeable java class that can be leveraged to execute arbitrary code. This happens to be exactly the case for Weblogic servers (one of many) with exposed t3 handler. The folxgloves security post provides an exploitation script for t3 but i found it quickly limited for a frequent usage during pentest:
- The script doesn't work, or at least it didn't for me
- Payload needs to be generated separately with ysoserial
- Can't use redirections and pipes in payload due to a limitation in ysoserial
- No t3s handling
- I really felt like writing a script
No need to to generate the payload separately. A malicious t3 packet is hard coded and is modified on the fly:
- The string representing the command to execute is updated
- The two bytes indicating the length of the new command are updated
- If target OS is Windows, the strings "/bin/sh" and "-c" are replaced with "cmd.exe" and "/c". Also if shell is bash "/bin/sh" is replaced with "/bin/bash"
- The two bytes indicating the total length of the t3 packet are updated
The used t3 packet is the first one sent when performing a ping using weblogic.jar:
java -cp weblogic.jar weblogic.Admin -adminurl t3://host:port -username weblogic -password weblogic PING
This packet is sent after the t3 handshake and is composed of four serialized java objects. The third object (starting at byte 750) is replaced with the malicious object (replacing the others doesn't seem to work).
The original payload (malicious serialized java object) was generated using a modified version of ysoserial (https://github.com/frohoff/ysoserial).
By default ysoserial does not allow the use of redirections or pipes in the payload.
Below is the help of Loubia showing its awesome functionalities:
Usage: loubia.py hostname port [options]Webshell deployment:
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-c PAYLOAD, --cmd=PAYLOAD
Command to execute
-o OS, --os=OS Target operating system (unix/win). Default is unix
-l SHELL, --shell=SHELL
shell to use (sh/bash). Default is sh
-s, --ssl Use t3s protocol. Default : false
-p PROTOCOL, --protocol=PROTOCOL
SSL protocol to use (sslv3/tlsv1/best). Default is
sslv3
-w, --webshell Deploy a jspx webshell
-u URL, --url=URL Deploy the jspx webshell to the target URL path
(webshell name will be URL_.jspx)
-v, --verbose Print verbose output. Default : false
In case of a linux target located in a DMZ with impossibility to open a port or to join our IP, the option "-w" or "--webshell" comes to the rescue. Indeed, when t3 is enabled the weblogic console is often accessible. When the "-u"/"--url" option is not used, a find is launched on the file "dashboard-min.css" and the file "dashboard-min.css_.jspx" is created. If everything goes well, the webshell will be accessible at (http://HOST:PORT/console/css/dashboard-min.css_.jspx). Why jspx ? unlike jspx, jsp files added at runtime aren't compiled before restart by Weblogic. The "-u" or "--url" option allows specifying a custom URL. For example, "-u 'http://HOST:PORT/appli/index.jsp'" causes the find to be launched on the "index.jsp" file and the webshell created at "http://HOST:PORT/appli/index.jsp_.jspx".
Possible evolutions:
Loubia is by definition perfect. Still, out of modesty i can consider some enhancements:
- Handle ssl better (for now, ssl protocols are hardcoded. Find a way to do an automatic negotiation)
- Implement a method to upload a webshell to windows targets
- Handle custom webshell
- Add other payloads. For example a script to recover Weblogic credentials
- Add a funny banner
- Learn Python and redevelop the whole script.
Completely disabling t3 can break some administration scripts. Instead, Connection Filters can be used to block connections from given IP/network to a given port and service.
It is recommended to disable t3 connections from untrusted sources. To do so:
1- in the Change Center of the Administration Console, click Lock & Edit.127.0.0.1 * * allow
2- In the left pane, select the domain you want to configure.
3- Select Security > Filter.
4- Select the Connection Logger Enabled checkbox to enable the logging of accepted messages.
5- In the Connection Filter field, specify the default filter weblogic.security.net.ConnectionFilterImpl unless a custom filter is already configured.
6- In the Connection Filter Rules field, enter the syntax for the connection filter rules. For example the following two rules allow all connections from localhost and forbid all t3/t3s connections from other machines :
0.0.0.0/0 * * deny t3 t3s
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
Not all changes take effect immediately—some require a restart (for example if no Connection Filter was configured before)
Links:
Loubia https://github.com/metalnas/loubia
Using network connection filters
https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm
Configure connection filtering http://docs.oracle.com/cd/E24329_01/apirefs.1211/e24401/taskhelp/security/ConfigureConnectionFiltering.html
Not all changes take effect immediately—some require a restart (for example if no Connection Filter was configured before)
Links:
Loubia https://github.com/metalnas/loubia
Using network connection filters
https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm
Configure connection filtering http://docs.oracle.com/cd/E24329_01/apirefs.1211/e24401/taskhelp/security/ConfigureConnectionFiltering.html
Impossible d'accepter votre texte HTML: Cette balise n'est pas autorisée.: SCRIPT. gg :)
ReplyDeleteCan you share the modified version of ysoserial that support for redirection and command pipe?
ReplyDeleteThank you.
Awesome tool, btw.
Thanks for commenting.
DeleteRegarding The ysoserial "improvement" you can find more details here https://github.com/frohoff/ysoserial/pull/60/files