WebLogic RMI Registry UnicastRef Object Deserialization of Untrusted Data RCE

ID SSV:96224
Type seebug
Reporter Root
Modified 2017-06-25T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the insufficient blacklisting of certain Java objects. The issue lies in the failure to properly validate user-supplied data which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

In the case of WebLogic, we are interested in yososerial's JRMPListener.java payload. This serializes a RemoteObjectInvocationHandler which uses a UnicastRef object to establish a TCP connection to a remote server in order to get at the remote server's RMI registry. This connection uses JRMP so the client will deserialize whatever the server responds with, achieving unauthenticated remote code execution.