Monday, November 29, 2021

Quick Analysis - CVE-2019-2725 Payload

Since few days now there has been a constant hammering of the weblogic honeypots with the exploits targeting a deserialization vulnerability leading to remote code execution vulnerability identified by CVE-2021-2725

The initial request to exploit the vulnerability looks like below,

The payload is a base64 string that gets decoded and saved to "servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/4dde4d88.jsp". Below is the decoded version of the base64 blob.

Following the 1st request a 2nd request is sent to the server. It looks like below ,

Reading the ".jsp" file it is clear that this blob in the 2nd request is base64 encoded and encrypted using AES. The key for decryption is hardcoded in the jsp file. They key can be identified as "fc5e038d38a57032". Using the key the blob in the 2nd request can be decrypted. It turns out the 2nd blob is a class file. The key is also saved in the session using "session.putvalue" into the variable "u". Below is the decrypted version using cyberchef.

Decompiling the class to source we can get an understanding of what's happening in the background. The class gets information about filepath, os, architecture, path, drivelist (line 70-80) encrypts using the same key (line 93 or 109 or 125) and posts it as a response.

No comments:

Post a Comment