Introducing Dynamic API Scanning
Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. …
A recent vulnerability was sent in to Crowdsource affecting Oracle WebLogic Server. The vulnerability is an unauthenticated remote code execution (RCE) that is easily exploited. In this article we will go through the technical aspects of the Oracle WebLogic RCE vulnerability and its exploitation.
Proof of concept video:
How the exploit works:
The vulnerability is affecting the Web Services (WLS) subcomponent. The path: /ws_utc/config.do (on port 7001) is by default reachable without any authentication, however this pages is only available in development mode. In order to make this vulnerability exploitable, the attacker needs to set a new Work Home Dir which has to be writable. The path: servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css works for this. After the new writable Work Home Dir is sat, it is then possible to upload a JSP file in the Security tab.
The page lets an attacker upload JKS Keystores which are Java Server Pages (JSP) files. These uploaded files are then possible to access and execute. Then it is possible to do a file upload as a multipart/form-data to the path: ws_utc/resources/setting/keystore The server will then respond with XML containing the keyStoreItem ID which is used to reach the uploaded file in the format of: /ws_utc/css/config/keystore/1582617386107_filename.jsp
Impact:
If a hacker acts upon this vulnerability, they may be able to completely compromise the server. However, due to the test page only existing in development mode, it is very important to check that your WebLogic server is not running in development mode. In some cases the port 7001 is filtered and therefore not reachable on the Internet.
For an attacker it is very easy to detect this vulnerability. WebLogic is easily fingerprinted (with its Server header) and a quick search on Shodan shows that there are many instances open on the Internet.
Additional information:
- For the full security advisory about Orable Weblogic RCE, read more on Oracle Critical Patch Update Advisory.
- Log into your Detectify account to find out if your applications are vulnerable and get the remediation tips.
Questions or comments? Let us know in the section below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Check out more content
Redefining AppSec Testing with Intelligent Scan Recommendations and Asset Classification
The average organization is missing testing 9 out of 10 of their complex web apps that are attacker-attractive targets. To address this, we’re launching new …
