Back in November of 2015, WebLogic was patched by Oracle to disallow deserialization of some dangerous Java objects. Oracle achieved this by blacklisting these specific packages:
This protected WebLogic from the original ysoserial serializable payloads like
Groovy1. Furthermore, this successfully protected WebLogic from new ysoserial payloads like
CommonCollection3 (released in February 2016). However, it does not protect WebLogic from all payloads.
RMI Connect Back
On February 24, 2016 the Jenkins build server project released a security advisory. One of the vulnerabilities, SECURITY-232 aka CVE-2016-0788, indicated that it was possible for an unauthenticated remote attacker to open a JMRP (Java Remote Method Protocol) listener which allowed for remote code execution. JRMP is used in conjunction with RMI (Remote Method Invocation). RMI is great for a deserialization attack since the communication is built around the serialization and deserialization of objects. Research into how CVE-2016-0788 works yielded two interesting finds.
The first was a full implementation of that attack in Jenkins’ unit tests. The second interesting find was that the researcher credited with CVE-2016-0788, Moritz Bechler, forked ysoserial and published a number of new/undisclosed payloads.
In the case of WebLogic, we are interested in yososerial's
JRMPListener.java payload. This serializes a
RemoteObjectInvocationHandler which uses a
UnicastRef object to establish a TCP connection to a remote server in order to get at the remote server's RMI registry. This connection uses JRMP so the client will deserialize whatever the server responds with, achieving unauthenticated remote code execution.
To demonstrate the issue to ZDI and Oracle, Tenable created two scripts. The first script is a server that listens for the callback, called
jrmp_listener.py. When the connect back connects to
jrmp_listener.py it will send a
CommonCollections3 payload in response which will trigger the RCE on WebLogic. The second script sends the serialized object to WebLogic via
t3 on TCP port 7001 (just like the original FoxGlove attack), called
jrmp_connect_back.py. In order to exploit WebLogic,
jrmp_listener.py must be executed before
jrmp_connect_back.py. The result of the exploitation will cause the connect back, which exists on its own thread, to be executed multiple times (which means an attacker could deliver multiple payloads).