12 August 2021

Exploits Explained Part 2

Synack

In this installment of Exploits Explained, we’re going to demonstrate a vulnerability in an Oracle WebLogic Server that allows attackers to perform remote code execution via a single HTTP request.

Exploit teardown credit goes to Jang on medium.

To see the vulnerability in action, read on, or check out this video walkthrough:

This vulnerability was recently encountered by one of our Synack Red Team researchers during a web application penetration test. 

Here’s why this vulnerability is such a big deal:

1. It’s a Remote Code Execution (RCE) Vulnerability, which is the root cause of many modern Ransomware attacks
2. It affects a widely distributed application
3. There’s a public exploit available
4. It’s not hard to pull off and requires no authentication

While this particular vulnerability has already been patched, we’ll walk you through how an attacker would be able to exploit this in the wild. 

Oracle WebLogic Server sets an auth flag based on URL paths in requests. Attackers were able to determine the allowed paths via the values set in “WebAppSecurityWLS.getConstraint ()”.  In this attack, the path is set to /css/, and when the web application evaluates the request, it sets the value of “flag unrestrict”  to true. This allows the request to be passed along unauthenticated. The attacker then utilizes the path traversal to access the console.portal endpoint.

The console.portal portion of the web application can use a constructor called ShellSession.exec () which allows for system commands on both Linux and Windows systems.

These commands are sent via an MVEL expression under the handle “com.tangosol.coherence.mvel2.sh.ShellSessionIn the publicly available exploit, the MVEL expression contains a function to evaluate the value of an HTTP header value named cmd and uses this value for the command to be executed. As seen here:

The output of the command is then written into the server’s response where the attacker can see the results of the command sent.

The server’s response for the commands whoami and ipconfig can be seen here:

This was patched in the October 2020 Critical Patch Update or CPU. These are some of the affected versions:

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

Organizations running these versions of Oralce WebLogic Server should review logs for HTTP requests made to the console.portal endpoint or any requests containing the double url encoded value for ../ (%252E%252E%252F)

Organizations should also check for any suspicious processes spawned by the application. This typically includes cmd.exe ( for windows) or /bin/sh (for *nix systems).

It’s critical that organizations check to make sure they can’t be compromised by this vulnerability by performing penetration testing. We recommend taking a crowdsourced penetration testing approach for higher quality results and to achieve a true adversarial perspective. 

Stay tuned to the Exploits Explained series for further walkthroughs of vulnerabilities encountered by the SRT in the field. 

Learn more about the SRT, or about Synack’s crowdsourced penetration testing at www.synack.com