Earlier this year, researchers found and published the Oracle WebLogic in a deserialization vulnerability. This vulnerability is more serious, so Oracle breaks the normal quarterly release patches practice, specially issued an emergency update. Unfortunately, the researchers soon realized that an attacker may bypass this patch. Official patch sometimes does not fully address a security issue, it seems to be now a trend, and Oracle is no exception. This article describes a directory traversal vulnerability, the official through several patches only to fix the vulnerability. The Oracle as early as 2019 4 month by CVE-2019-2618 fix this vulnerability, but then again in the 7 month released the corrected patch.
0x01 vulnerability details Oracle WebLogic is used to build and deploy Java Enterprise Edition EE application the application server. In a default installation, the WebLogic Server will contain a variety of applications, in order to maintain and configure the relevant domains and applications. For example, where there is a bea_wls_deployment_internal. war application, the application has a file upload function. After the adoption of authentication, the user can send/bea_wls_deployment_internal/DeploymentService send a request to upload a file. If the request of the head of the wl_request_type value of app_upload or plan_upload, then the application will call the handlePlanOrApplicationUpload (a). handlePlanOrApplicationUpload()method will verify wl_upload_application_name field value, and checks two directory traversal characters: the../and/..: the ! Figure 1. Check for directory traversal characters, here we add some comments \user_projects\domains\[DOMAIN NAME]\servers\AdminServer\upload\path stored in the uploadingDirName variable, the server will wl_upload_application_name field value as the path of a subdirectory to use. As shown in Figure 1 shown in the code, the service end will be user-controllable wl_upload_application_name value attached to uploadingDirName, and then to the saveDirectory parameters passed to the doUploadFile (a). doUploadFile()function will use the request in the file name parameter in the position to create a file. ! Figure 2. doUploadFile()function wl_upload_application_name and the filename field there is a directory traversal vulnerability. 2019 4 month, Oracle attempts by CVE-2019-2618 fix for this directory traversal issue. In CVE-2019-2618 patch, the official added some processing logic, in wl_upload_application_name field and check the two directory traversal character:..and..: the ! For the filename field, CVE-2019-2618 patch for doUploadFile()added a check to ensure that the save file to the final path contains saveDir specified the correct directory. saveDir value for the\user_projects\domains\[DOMAIN NAME]\servers\AdminServer\upload\[UPLOAD_APP], where[UPLOAD_APP]value located in wl_upload_application_name in. If the filename variable contains directory traversal characters, and does not contain saveDir indication of the string, then the new doUploadFile()method will throw the exception: ! Figure 4. For saveDir exception error For the fileName field of check basic have been more perfect, however here we want to mention that if the official does not use the contains, but the use startsWith to be judged, then the repair effect should be better. According to this patch, the processing logic, in theory, if the final path in any part of the legitimate path is similar, then you can bypass this patch. However, after our analysis, here and there directly can use the code path. If the saveTo path specified does not exist, then doUploadFile()function does not automatically create the corresponding directory structure. Therefore, if you want to bypass this patch, an attacker would need to use other sufficiently powerful technology, on the server of the sensitive location of the create any directory structure, but itself is here unable to provide File Upload feature. So overall, this patch is unlikely to be bypassed. However, for wl_upload_application_name the head of the field, CVE-2019-2618 patch is not done, an attacker may be wl_upload_application_name header field value is set to..two points to bypass the patch. By this way, the attacker can upload files to the\user_projects\domains\[DOMAIN NAME]\servers\AdminServer directory of any subdirectory to note here is the lack of a final path component: upload to. Therefore, the attacker can be in the\user_projects\domains\[DOMAIN NAME]\servers\AdminServer\tmp\directory to write into a JSP file, to achieve code execution. For example, an attacker can through the following POST request, the poc. the jsp file is written to\user_projects\domains\[DOMAIN NAME]\servers\AdminServer\tmp directory: ! Figure 5. Directory traversal vulnerability demo An attacker without going through authentication, you can have access to write to the tmp directory _WL_internalbea_wls_internal subdirectory in the file. For this case, the attacker can send/bea_wls_internal/pos. jsp the URI to send the request, you can execute the JSP code. Official in 7 month released the CVE-2019-2827 patch successfully fixes the vulnerability. The patch will verify wl_upload_application_name header field value is included in the..directory traversal characters, as shown below: ! Figure 6. CVE-2019-2827 patch changes the code
0x02 summary Directory traversal vulnerability in the variety of variants has appeared for some time, but will still affect a variety of types of software. Developers should ensure that their own in the implementation file before the operation has been properly filter user input data. Over the years, attackers have been using various coding tricks to bypass the for directory traversal defense mechanisms. For example, the attacker can use the URI encoding, will%2e%2e%2f converted to../to bypass some of the filters, we never underestimate these people's creativity. Although this article is from the Oracle of an unsuccessful patch, but other manufacturers also exist similar problems. The patch analysis is to detect the developer whether there are flaws a good way to check is repair of the Assembly is also looking for vulnerabilities related to a great entry point.