Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - A Road to Post Exploitation" meetup
to learn how hackers can compromise the software supply chain, advanced data protection methods on WebLogic Server and
how to use AI in order to protect your software.
Agenda:
17:00 - 17:10 - 'Opening words' - by Gidi Farkash (CISO at Pipl Security)
17:10 - 17:40 - 'Tracking Attackers in Open Source Supply Chain - Lessons Learned' - by Jossef Harush Kadouri (Head of Software Supply Chain Security at Checkmarx)
17:40 - 18:20 - 'WebLogic - The Road to Post Exploitation' - by Amit German (Cyber Security Researcher at Pentera)
18:20 - 19:00 - 'AI In The Hands of Application Security' - by Brit Glazer (Head of Information Security at Unit)
82. Pickle
• Built-in Python module
• Helps storing complex Python objects into binary files
• Used in many applications, specifically when saving and loading
machine learning models
87. 88
import pickle
class MyObject:
def __init__(self, name):
self.name = name
data = MyObject('test’)
with open('data.pickle', 'wb') as f:
pickle.dump(data, f)
88. Pickle is A Weak Format
• An attacker can execute arbitrary code during unpickling
89
89. 90
import pickle
class MyObject:
def __init__(self, name):
self.name = name
def __reduce__(self):
return exec, ('print("hello from pickle")',)
data = MyObject('test’)
with open('data.pickle', 'wb') as f:
pickle.dump(data, f)
132. PAGE
What is WebLogic?
● An enterprise-level application server developed by Oracle
● Based on Java Enterprise Edition (Java EE)
● Operates as a middleware – a bridge between Backend and Frontend
○ Capable of hosting multiple applications
○ Supports database connections
135
● Nightmare to update :)
133. PAGE
What is WebLogic?
● An enterprise-level application server developed by Oracle
● Based on Java Enterprise Edition (Java EE)
● Operates as a middleware – a bridge between Backend and Frontend
○ Capable of hosting multiple applications
○ Supports database connections
136
● Nightmare to update :)
139. PAGE
What now?
● Goals
● Remote Code Execution (RCE) on the WebLogic Server
● Collect useful data
● Deploy a backdoor
● Requirements
○ Authentication Bypass
○ Remote Code Execution (RCE)
○ CVE-2020-14883 + CVE-2020-14882
143
! There are 274 known vulnerabilities
!
141. PAGE
CVE-2020-14882
● Authenticated remote code execution
● Exploits weaknesses in WebLogic’s HTTP request handling
● Chained together with CVE-2020-14883 = unauthenticated RCE!
● Two methods
○ Shell Method
○ Remote XML Method
147
142. PAGE
CVE-2020-14882
● Shell Method
○ Very easy to execute
○ Sending a command using a handle to a library used by WebLogic’s web server
○ Only works for newer versions of WebLogic
○ 12.2.1.3.0 and newer
○ Not working on 10.3.6.0.0 and 12.1.3.0.0
○ Gimme passwords!
148
143. PAGE
149
CVE-2020-14882 – Shell Method
● Shell Method
○ Very easy to execute
○ Sending a command using a handle to a library used by WebLogic’s web server
○ Only works for newer versions of WebLogic
○12.2.1.3.0 and newer
○Not working on 10.3.6.0.0 and 12.1.3.0.0
○ Gimme passwords!
144. PAGE
CVE-2020-14882 – Remote XML Method
● Remote XML Method
○ “ShellSession” does not exist on older versions
○ We’ll use “FileSystemXmlApplicationContext”, which exists on every WebLogic version
• Harder than the Shell Method – and less likely to succeed
• Has many limitations
150
145. PAGE
CVE-2020-14882 – Remote XML Method
151
WebLogic Console
WebLogic Server
Malicious
Server
Attacker
Malicious URL
148. PAGE
Now what??? - Post-Exploitation
● We have achieved unauthenticated remote code execution!
● Time to move on to the next goals
○ Find interesting, useful data
○ Upload a webshell
154
149. PAGE
WebLogic Management API
• A.K.A - WLS RESTful Management Interface
“WebLogic RESTful management services provide a comprehensive public interface for
configuring, monitoring, deploying and administering WebLogic Server in all supported
environments.”
155
151. PAGE
Back to planning!
● New GOALS
○ Extract WebLogic console user credentials
○ Find interesting, useful data
○ Webshell
158
152. PAGE
Tell me your password WebLogic
● WebLogic saves its encrypted password in the following scenarios
○ WebLogic is running in development mode
■ config.xml
○ WebLogic has been configured with “quick startup” - no credentials are needed if server
restarts
■ boot.properties
● WebLogic always saves it’s encryption key in a file
○ SerializedSystemIni.dat
159
162. PAGE
170
Management API - Here we come!
● Finding databases
● …/management/weblogic/latest/serverConfig/JDBCSystemResources
● Databases
○ Press to CYBER
163. PAGE
173
Management API - Here we come!
● Finding deployed applications
● …/management/weblogic/latest/domainRuntime/deploymentManager/appDeploymentRuntimes
● Deployed Apps
○ App
165. PAGE
It’s WebShell time!
● Step 1
Get the path for the deployed application
● …/management/weblogic/latest/edit/appDeployments/benefits
• App Path
177
166. PAGE
It’s WebShell time!
● Step 2
Download the file using CVE-2020-14882
● We get a WAR (Web Application Resource or Web Application Archive)
file that we can easily unzip
179
167. PAGE
It’s WebShell time!
● Step 3.
You must do AI stuff to be cool these days
● Ask ChatGPT to write a JSP WebShell
180
172. PAGE
Summary
• We achieved unauthenticated remote code execution
• Using CVE-2020-14883 and CVE-2020-14882
• Shell Method
• Remote XML Method
• We obtained and decrypted WebLogic’s admin user credentials
• Using the admin credentials, we accessed the management API
• We decrypted database passwords
• We uploaded a malicious webshell to a legit application
187
173. PAGE
Mitigation
• Limit access to the admin port
• Monitor access to sensitive files
• config.xml, SerializedSystemIni.dat, boot.properties
• Monitor commands running using the server’s user
• Web Application Firewall (WAF)
• Multi Factor Authentication (MFA)
• Patch!!!
188
177. Agenda
What is Machine Learning
1
Leverage AI for Enhanced
Protection in Application Security
2
Case Studies
3
Advantages of AI-Driven Systems
Over Traditional Methods
4
Safely Embracing AI
5
178. What is Machine Learning
Enhanced Productivity
1
Data Analysis and Insights
2
Cost Reduction
3
Scalability
4
A process of training algorithms to recognize patterns and relationships in data,
which can then be used to make predictions about new, unseen data.
179. Leverage AI for Enhanced Protection in
Application Security
Pattern
Recognition &
Anomaly
Detection
Immediate
Reaction to
Threats
Predictive
Analytics
Evolving with
Threats