Exploiting Oracle WebLogic RCE (Multiple Zero-Days)

////Exploiting Oracle WebLogic RCE (Multiple Zero-Days)

Exploiting Oracle WebLogic RCE (Multiple Zero-Days)

Oracle WebLogic Server 12c, the world’s first cloud-native, enterprise Java platform enables you to fully realize the benefits of cloud computing. It is been widely used by main stream enterprises for hosting java based applications.

Oracle WebLogic is now affected by multiple Zero-Days frequently. It has been reported that this critical vulnerability is under active exploit, we urge all WebLogic users to take steps to remediate as soon as possible. Succesful attack can lead to full system compromose depending on the privellege of the oracle weblogic server.

I have shared a proof of concept for exploiting WebLogic exploit. Unfortunately Pro tools like Nessus Professional and Qualys was not able to detect this vulnerability while doing the test. More details of the series of vulnerabilites are given below

https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize

Below are the list of CVEs that are published regarding this critical remote code execution vulnerability series.
CVE-2019-2658

CVE-2019-2645
CVE-2019-2646

CVE-2019-2725

CVE-2018-3252
CVE-2018-3250
CVE-2018-3191
CVE-2018-3197
CVE-2018-2893

CVE-2017-10352

To start with this we can scan the remote WebLogic server with Nmap.

nmap -sS -sV -p- <target_ip> -vv

Now check whether the WLS-SAT component is enabled or not. This can be done by browsing directly to http://vulnerableserver/wls-sat/

Now the exploit code. Below is the advance crafted exploit which creates a reverse command shell inside a Windows system.

Also refer:

https://www.exploit-db.com/exploits/46814
https://www.exploit-db.com/exploits/43924

Now the exploit is ran against the target vulnerable server using Burp Repeater. Also you can use curl command to do that. Make sure you listen to the local port, which was initialy set in the exploit code. Here we used port 443 as most of the firewalls ignore traffic going through 443.

Below screenshot shows the reverse shell recieved on successful exploitation of the vulnerability.

Oracle has been trying to patch this RCE vulnerability repeatedly. So always upgrade to the latest release versions. As a precautionary measure, patch your software to latest version as per their repository and if the wls-sat component is not required, then disable it.

Update, Patch, Disable, and Be Safe….

By | 2019-05-09T17:59:36+05:30 May 9th, 2019|Penetration Testing, Web Applications|0 Comments

About the Author:

Leave A Comment