Vulnerability is introduced

The WLS Security component of Weblogic provides WebService externally, in which XMLDecoder is used to parse the XML data passed in by users. Deserialization vulnerability occurs in the process of parsing, resulting in the execution of arbitrary commands. An attacker who sends carefully constructed XML data can even gain access by bouncing the shell.

Affects version

OracleWebLogic Server10.3.6.0.0

OracleWebLogic Server12.1.3.0.0

OracleWebLogic Server12.2.1.1.0

OracleWebLogic Server12.2.1.2.0

Vulnerability recurrence environment

Attacker: Kali 2021

Server: Vulhub’s WebLogic CVE-2017-10271 environment

Vulnerability emersion

The attacker sends the payload of the rebound shell using Burp:

Successful shell:

POC

Github.com/NingKn/CVE_…

Vulnerability analysis

Cve-2017-10271 vulnerability is a remote command execution vulnerability of WebLogic Server WLS component. The triggering url is as follows:

http://192.168.124.42:7001/wls-wsat/CoordinatorPortType to send post data, by constructing a SOAP request (XML) format, in the process of analytic result in XMLDecoder deserialization loopholes.

  1. In weblogic/wsee/jaxws workcontext/WorkContextServerTube class the processRequest method, we send the POST data are processed in a SOAP (XML) data. Var1 is the incoming SOAP data. After remote debugging is configured for idea and debug is enabled, breakpoint is set in processRequest method:

  2. After Burp sends the packet via POST, IDEA stops at the breakpoint where the var1 variable is both the XML data we sent:

  3. As the code moves down to the readHeaderOld method, we look at the var3 variable before following up:

  4. Follow up readHeaderOld method, found that there is actually a wave transformation, generates WorkContextXmlInputAdapert var6 object, below is the method of var4 variables to store the XML data:

  5. The buF collection in Var6 is the data in VAR4 and the XML we transferred:

  6. The var1 argument is the var6 argument above:

  7. Follow up var2 receiveRequest method:

  8. Here var1 is the var1 parameter above:

  9. Follow up receiveRequest method:

  10. Following the readEntry method, var0 holds XML data:

  11. Follow up var0’s readUTF method:

The xmldecoder.readObject method is called directly, creating the vulnerability.

Conclusion:

XMLDecoder to parse XML data passed in by the user. Deserialization vulnerability occurs during parsing, resulting in arbitrary command execution.

Bug fix:

Method 1: Delete the WLs-WSAT component and restart WebLogic

Method 2: Download from the official website and patch