Oracle Coherence Remote Code Execution CVE-2020-2555

15/04/2020 09:06:52
Oracle Introduction

Coherence is a key component of Oracle in order to build a highly reliable and scalable cluster. Clustering refers to more than one App Server participating in the operation. The main purpose of Coherence is to share the objects of an application (mainly Java objects, such as a session Java object of a web application) and data (such as database data, which becomes Java objects after OR-MAPPING).

Summary

A blog published by Zerodayinitiative released a Coherence deserialization vulnerability, with number CVE-2020-2555 and CVSS score of 9.8, which is highly dangerous. The following content comes from the analysis of the blog.

We found exploit points through patches

The CVE-2020-2555 vulnerability is caused by an attacker who can pass in controllable parameters and call Java methods. In Java, the readObject () or readExternal () methods in the class can be called automatically. These two methods and any other methods available from within them can be regarded as the source of deserialized gadget.

The toString () method in the LimitFilter class was changed in the patch of CVE-2020-2555, as shown in the figure:



Patch toString () deletes the pair extract () all calls to the statement methods; the following will introduce extract () the importance of the method. The modification here is particularly interesting because we can access toString () through the readObject () method of various standard JRE classes (such as BadAttributeValueExpException)



As shown in the code above, a serialized instance of the BadAttributeValueExpException class can be used to call the toString () method of any class. This method can be used to access the toString () method of the LimitFilter class affected by this patch.

For use toString () as the entry point of the gadget example, see ysererial project CommonsCollections5 gadget.

Search for Sink Point

Sink refers to Java method calls with various side effects including:

-Create arbitrary files by calling FileOutputStream.write ()

-Execute arbitrary commands by calling Runtime.exec ()

-Call any method by calling any method

For this vulnerability, our focus is on the call to Method.invoke (), which can call any Java method through reflection. After understanding that, we can find all instances of the extract () method, and eventually call Method.invoke (). In the Coherence library, there seems to be only such an instance of a serializable class (implementing the Serializable or Externalizable interface).



After viewing the ReflectionExtractor class, we can confirm the previous speculation:



ReflectionExtractor provides dangerous primitives, allowing an attacker to call arbitrary methods, and the attacker can control the methods and parameters.

Implement RCE

Generally, multiple method calls are required to exploit remote code execution vulnerabilities. For example, in the popular Apache Commons Collections of gadgets, attackers need to use ChainedTransformer arbitrary method calls connected in series to achieve RCE. Similarly, the Coherence library also provides such a class (ChainedExtractor), which allows us to concatenate the extract () call:



Combining the above information, we can use the following call chain to finally achieve remote code execution:



If the target environment uses the Coherence library, and the attacker can deliver malicious serialized objects, then the attacker can achieve remote code execution.

Summary

Since Chris Frohoff and Gabriel Lawrence 's speech on AppSecCali led to the so-called Java deserialization revelations in 2015 and 2016, researchers have been looking for deserialization errors to achieve reliable code execution. We have seen many such errors have been submitted to the program and used in the Pwn2Own Miami incident for SCADA applications. This is also one of the reasons why we pay special attention to deserialization errors in the "Trend Technology Security Prediction 2020" report. Thanks again VNPT ISC 's Jang for submitting this error to the program, we hope to receive more of his report.

Reproduction

We use WebLogic 12.2.1.3 environment to reproduce. The malicious serialized data is passed in through the T3 protocol, and the malicious code is executed when the server is parsed as shown in the figure:



Impacts

Affected Oracle Coherence Versions

Oracle Coherence 12.2.1.4.0

Oracle Coherence 12.2.1.3.0

Oracle Coherence 12.1.3.0.0

Oracle Coherence 3.7.1.17

Timeline

Mar 6, 2020 Oracle released a critical patch for fixing CVE-2020-2555 vulnerability in Jan 2020.

Mar 6, 2020 Sangfor FarSight Labs release an article about this vulnerability.

Mar 10, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Remediation Solution

The official has released a patch for this vulnerability, please refer to the following link to install the patch update: https://www.oracle.com/security-alerts/cpujan2020.html

Interim Solution

Control T3 Service

Steps:



Select Security>Filters on the above, then select "Filter" and enter the following:

security.net.ConnectionFilterImpl

Then enter the following in Connection Filter Rules

127.0.0.1 * * allow t3 t3s,0.0.0.0/0 * * deny t3 t3s

Click save and restart server to take effect.

Sangfor Solution

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has updated database immediately in the cloud. Users can be protected from high risk easily and rapidly without performing any operation.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.