Exploiting Weblogic Servers With XMLDecoder RCE Bugs

In 2019, I have reported some XMLDecoder RCE bugs of Weblogic Server to Oracle and the details of these bugs will be disclosed for the first time. These bugs are very funny, during find the bugs , I analyzed the Critical Patch Updates of Weblogic Server and bypassed the patch twice, assigned CVE number CVE-2019-2725/CVE-2019-2729. In this presentation, I will share the various tactics I’ve used in the bypassing process and how to construct the different PoCs in different JDK versions. I will cover:

  • Parsing Process of XMLDecoder
  • XMLDecoder Deserialization Vulnerability
  • Exploit Weblogic Server XMLDecoder (I will disclose some Weblogic Server RCE 0days)
  • How to bypass WAF when exploiting WLS with XMLDecoder (I have done extensive work with web attack detection for over 5 years and will share how to bypass the famous WAFs)

MAIN CONFERENCE
Location: Track 2 Date: April 23, 2020 Time: 4:30 pm - 5:30 pm Xu Yuanzhen