Introduction
Recent Oracle advisory pertaining a serious deserialization flaw that impacts WebLogic Servers version 10.3.6.0 & 12.1.3.0. This flaw is very trivial to exploit, leading to RCE with uid=1000(oracle) rights. There are exploits in the wild, the simplest one to use can be found in metasploit.
Installing Vulnerable Docker
To safely test this exploit without getting in trouble with the law, you can download a vulnerable docker container. Here is mine:
Detection
Easiest way to detect the instance of WebLogic is to use Nmap NSE script.
$ sudo nmap --script weblogic-t3-info -p 49163 127.0.0.1 -sSV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-02 20:21 +08
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
49163/tcp open http Oracle WebLogic admin httpd
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 12.1.3.0)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.55 seconds
Exploitation
Fastest way to exploit this bug is to use "exploit/multi/misc/weblogic_deserialize_asyncresponseservice" in msfconsole:
Setup the RHOST, RPORT and PAYLOAD:
Once everything is in place, run the exploit against your docker container:
Exploit Analysis & Summary
This exploit is so easy to run that it is being used to randomly hit servers across the world to mine for crypto currency. It is basically a oneliner exploit, take a look at its payload in real time using tcpdump:
The payload sends a reverse shell in bash to an attacker ip address on port 4444. You can practically swap it out for anything, eg. RCE. Being so simple to exploit, you may think that most organizations had patched their systems already. Well, the mighty US DoD (US Department of Defense) was caught with their pants down during a bounty. Often the simplest things are the ones that catches us by surprise. During my pen-test engagements, very often I'd obtain critical findings from simple things like weak admin credentials, missing critical patches & stupid misconfigurations. So, if you are a pen-tester, always start with the basics. Enumerate the targets thoroughly, do not leave any stone unturned. The more you know about your targets the more likely you'll be able to hack it. The import piece is the detection/enumeration of vulnerabilities. The exploitation is usually easy once you know what you are after.
