CVE-2024-21181 Plugin

doyensec/detectors/weblogic_cve_2024_21181/README.md

@@ -0,0 +1,35 @@
+# WebLogic IIOP Deserialization (CVE-2024-21181)
+
+## Description
+
+CVE-2024-21181 is a critical vulnerability in Oracle WebLogic Server. The vulnerability lies in the way it
+handles T3/IIOP requests. When performing the lookup for a Reference object the unsafe deserialization is triggered.
+
+### Detector's implementation
+
+This detector only exploits the deserialization vulnerability to perform a simple DNS callback. 
+Even though this doesn't leak any sensitive data, it hints that a more complex gadget chain is possible.
+Implementing a gadget-chain that leverages the deserialization vulnerability to achieve a complete RCE
+it's outside the scope of the scanner.
+
+**The detector needs the Tsunami Callback Server with the DNS mode enabled.**
+
+The detector does not need any Oracle library, as (part of) the protocol used for the communication has been reverse-engineered and is handled entirely by the detector itself.
+
+## Affected Versions
+
+-  WebLogic Server 12 <= v12.2.1.4.0
+-  WebLogic Server 14 <= v14.1.1.0.0
+
+## Build the plugin
+
+```shell
+./gradlew build
+```
+
+The Tsunami identifiable jar file is located in the `build/libs` directory.
+
+## Notes
+### T3 Protocol
+
+This detector uses the IIOP protocol to trigger the deserialization bug. It should theoretically be possible to use the T3 protocol, but during testing we found that using T3 seem to actually trigger the bug on the client side – i.e. on our own detector – instead that on the server.

doyensec/detectors/weblogic_cve_2024_21181/build.gradle

@@ -0,0 +1,74 @@
+plugins {
+    id 'java-library'
+}
+
+description = 'WebLogic IIOP Unsafe Deserialization (CVE-2024-21181)'
+group = 'com.google.tsunami'
+version = '0.0.1-SNAPSHOT'
+
+repositories {
+    maven { // The google mirror is less flaky than mavenCentral()
+        url 'https://maven-central.storage-download.googleapis.com/repos/central/data/'
+    }
+    mavenCentral()
+    mavenLocal()
+}
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_11
+    targetCompatibility = JavaVersion.VERSION_11
+
+    jar.manifest {
+        attributes('Implementation-Title': name,
+                'Implementation-Version': version,
+                'Built-By': System.getProperty('user.name'),
+                'Built-JDK': System.getProperty('java.version'),
+                'Source-Compatibility': sourceCompatibility,
+                'Target-Compatibility': targetCompatibility)
+    }
+
+    javadoc.options {
+        encoding = 'UTF-8'
+        use = true
+        links 'https://docs.oracle.com/javase/8/docs/api/'
+    }
+
+    // Log stacktrace to console when test fails.
+    test {
+        testLogging {
+            exceptionFormat = 'full'
+            showExceptions true
+            showCauses true
+            showStackTraces true
+        }
+        maxHeapSize = '1500m'
+    }
+}
+
+ext {
+    tsunamiVersion = 'latest.release'
+    junitVersion = '4.13.1'
+    mockitoVersion = '2.28.2'
+    truthVersion = '1.0.1'
+    guiceVersion = '4.2.3'
+    guavaVersion = '33.3.1-jre'
+    autoValueVersion = '1.11.0'
+}
+
+dependencies {
+    implementation      "com.google.guava:guava:${guavaVersion}"
+    implementation      "com.google.tsunami:tsunami-common:${tsunamiVersion}"
+    implementation      "com.google.tsunami:tsunami-plugin:${tsunamiVersion}"
+    implementation      "com.google.tsunami:tsunami-proto:${tsunamiVersion}"
+    implementation      "com.google.inject:guice:${guiceVersion}"
+    compileOnly         "com.google.auto.value:auto-value-annotations:${autoValueVersion}"
+    annotationProcessor "com.google.auto.value:auto-value:${autoValueVersion}"
+
+    testImplementation "junit:junit:${junitVersion}"
+    testImplementation "org.mockito:mockito-core:${mockitoVersion}"
+    testImplementation "com.google.inject:guice:${guiceVersion}"
+    testImplementation "com.google.truth:truth:${truthVersion}"
+    testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}"
+    testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}"
+    testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}"
+}

doyensec/detectors/weblogic_cve_2024_21181/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,6 @@
+#Tue Dec 03 18:52:37 CET 2024
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

doyensec/detectors/weblogic_cve_2024_21181/settings.gradle

@@ -0,0 +1 @@
+rootProject.name = 'weblogic_cve_2024_21181'

doyensec/detectors/weblogic_cve_2024_21181/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202421181/Annotations.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.google.tsunami.plugins.detectors.cves.cve202421181;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import javax.inject.Qualifier;
+
+/** Annotation for {@link WeblogicUnsafeDeserializationDetector}. */
+final class Annotations {
+  @Qualifier
+  @Retention(RetentionPolicy.RUNTIME)
+  @Target({PARAMETER, METHOD, FIELD})
+  @interface OobSleepDuration {}
+
+  private Annotations() {}
+}