Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation. A configured instance to host applications and resources.
Oracle in October 2017 published a critical arbitrary code execution vulnerability concerning Oracle WebLogic and assigned cve CVE-2017-10271. The critical Java deserialization vulnerability in WebLogic’s ‘WLS Security’ subcomponent was the result of an incomplete patch for CVE-2017-3506, a similar vulnerability in WebLogic’s ‘Web Services’ subcomponent.
The vulnerability stems from an insufficient validation of serialized XML data by the ‘WorkContextXmlInputAdapter’ class. Essentially, malicious input passed to the XMLDecoder constructor and read functions within the ‘WorkContextXmlInputAdapter’ class result in the deserialization of an arbitrary Java serialized object. If exploited, the flaw will result in remote code execution (RCE), and possibly a full takeover of the web server.
According to PoC vulnerability is in the in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic, but the endpoints mentioned below also belongs to vulnerable entry points:
A crafted XML document can be sent to the aforementioned web service or vulnerable entry points, this will get deserialized by weblogic and consequently allow an attacker to construct arbitrary Java objects and invoke their methods resulting in remote code execution.
A shell script is available(scanner.sh) for the identification of unauthenticated remote code execution vulnerability in Weblogic Server. Below image show response of an infected version of weblogic server against this identification tool.
Response of Oracle weblogic server 10.3.6.0
The screenshot attached below shows sending a crafted XML document to the CoordinatorPortType web service of WLS Security component of WebLogic server version 10.3.6.0 on windows, where a ‘calc’ command is getting executed.
Request captured in Wireshark:
Response captured in Wireshark:
The screenshots attached below depicts successful exploitation of Deserialisation RCE vulnerability, where ‘calc‘ and ‘mkdir wlsr‘ commands are getting executed on the vulnerable weblogic server 10.3.6.0 on Windows machine.
Affected versions of Oracle Weblogic Server:
WebLogic versions 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0, or 22.214.171.124.0
Upgrade to WebLogic Server 126.96.36.199 or later.
- Since the vulnerability exist in the wls-wsat component users are advised to make a backup of and delete this component if it is not applied in the WLS cluster.
- Delete the WebLogic wls-wsat component.
- Restart the WebLogic domain controller service.