Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION

Weblogic’s AdminServer servlet allows remote administration (often unauthenticated) via the
proprietary T3 protocol. This protocol is similar to RMI in the sense that it depends on the exchange
of serialized Java objects that are then re-serialized. Apache Commons pre-3.2.2 allows users to
serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which
is capable of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.

Version support:
Installer did not support the JVM version unless marked otherwise.
> Ubuntu Linux 14.04.3 - x86
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED
- 12.2.1 on Java SE 8 ()
- 12.1.2 on Java SE 7 / 8
- 12.1.3 on Java SE 7 / 8
> Windows 7 Ultimate SP 1 x86
- 12.1.3 on Java SE 8 - FAILED
- 12.1.3 on Java SE 7
- 12.1.2 on Java SE 7
- 12.2.1 on Java SE 8 - FAILED
- 12.2.1 on Java SE 6 - Installer does not support Java version
- 12.2.1 on Java SE 7 - Installer does not support Java version
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED

Repeatability: One Shot
References: [‘http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/’, ‘https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread’, ‘http://www.oracle.com/technetwork/topcis/security/alert-cve-2015-4852-2763333.html’, ‘https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7501’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852