Vulnerabilities > CVE-2016-5535 - Remote Code Execution vulnerability in Oracle WebLogic Server

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94290);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/30");

  script_cve_id(
    "CVE-2015-7501",
    "CVE-2016-3505",
    "CVE-2016-3551",
    "CVE-2016-5488",
    "CVE-2016-5531",
    "CVE-2016-5535",
    "CVE-2016-5601"
  );
  script_bugtraq_id(
    78215,
    93627,
    93692,
    93704,
    93708,
    93730
  );
  script_xref(name:"CERT", value:"576313");

  script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)");
  script_summary(english:"Checks for the patch.");

  script_set_attribute(attribute:"synopsis", value:
"An application server installed on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists in the
    JMXInvokerServlet interface due to unsafe deserialize
    calls of unauthenticated Java objects to the Apache
    Commons Collections (ACC) library. An unauthenticated,
    remote attacker can exploit this to execute arbitrary
    code. (CVE-2015-7501)

  - An unspecified flaw exists in the Java Server Faces
    subcomponent that allows an authenticated, remote
    attacker to execute arbitrary code. (CVE-2016-3505)

  - An unspecified flaw exists in the Web Container
    subcomponent that allows an unauthenticated, remote
    attacker to cause a denial of service condition.
    (CVE-2016-5488)

  - An unspecified flaw exists in the WLS-WebServices
    subcomponent that allows an unauthenticated, remote
    attacker to execute arbitrary code. (CVE-2016-5531)

  - An unspecified flaw that allows an unauthenticated,
    remote attacker to execute arbitrary code. No other
    details are available. (CVE-2016-5535)

  - An unspecified flaw exists in the CIE Related
    subcomponent that allows a local attacker to impact
    confidentiality and integrity. (CVE-2016-5601)");
  # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5");
  # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2016 Oracle
Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3505");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/26");

  script_set_attribute(attribute:"agent", value:"all");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");

  script_dependencies("oracle_weblogic_server_installed.nbin");
  script_require_keys("installed_sw/Oracle WebLogic Server");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app_name = "Oracle WebLogic Server";

install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
ohome = install["Oracle Home"];
subdir = install["path"];
version = install["version"];

fix = NULL;
fix_ver = NULL;

# individual security patches
if (version =~ "^10\.3\.6\.")
{
  fix_ver = "10.3.6.0.161018";
  fix = "23743997";
}
else if (version =~ "^12\.1\.3\.")
{
  fix_ver = "12.1.3.0.161018";
  fix = "23744018";
}
else if (version =~ "^12\.2\.1\.0($|[^0-9])")
{
  fix_ver = "12.2.1.0.161018";
  fix = "24286148";
}
else if (version =~ "^12\.2\.1\.1($|[^0-9])")
{
  fix_ver = "12.2.1.1.161018";
  fix = "24286152";
}


if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
{
  port = 0;
  report =
    '\n  Oracle home    : ' + ohome +
    '\n  Install path   : ' + subdir +
    '\n  Version        : ' + version +
    '\n  Required patch : ' + fix +
    '\n';
  security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94511);
  script_version("1.11");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-5535");
  script_bugtraq_id(93692);
  script_xref(name:"TRA", value:"TRA-2016-33");
  script_xref(name:"ZDI", value:"ZDI-16-572");

  script_name(english:"Oracle WebLogic Server Java Object Deserialization RCE (October 2016 CPU)");
  script_summary(english:"Sends a DiskFileItem object to the server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle WebLogic server is affected by a remote code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle WebLogic server is affected by a remote code
execution vulnerability in the WLS Security component due to unsafe
deserialize calls of unauthenticated Java objects to the Apache
Commons File Upload library. An unauthenticated, remote attacker can
exploit this, via a crafted a DiskFileItem object, to execute
arbitrary code in the context of the WebLogic server.");
  # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bac902d5");
  # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-33");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-572/");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the October 2016 Oracle
Critical Patch Update advisory.

WebLogic 12.2.1.3 is also reported to be affected. Contact Oracle
for a solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5535");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("weblogic_detect.nasl", "t3_detect.nasl");
  script_require_ports("Services/t3", 7001);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("t3.inc");

appname = "Oracle WebLogic Server";

port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);

# Try to talk T3 to the server
sock = open_sock_tcp(port);
if (!sock) audit(AUDIT_SOCK_FAIL, port);
version = t3_connect(sock:sock, port:port);

# send ident so we can move on to login
t3_send_ident_request(sock:sock, port:port);

# send our "login request"
auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00';
# this is an org.apache.commons.fileupload.disk.DiskFileItem object that should not
# be deserializable if the vulnerability was fixed
auth_request += '\xac\xed\x00\x05\x73\x72\x00\x2f\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2e\x64\x69\x73\x6b\x2e\x44\x69\x73\x6b\x46\x69\x6c\x65\x49\x74\x65\x6d\x1f\x0d\x72\x26\x83\x9a\x88\x71\x03\x00\x0a\x5a\x00\x0b\x69\x73\x46\x6f\x72\x6d\x46\x69\x65\x6c\x64\x4a\x00\x04\x73\x69\x7a\x65\x49\x00\x0d\x73\x69\x7a\x65\x54\x68\x72\x65\x73\x68\x6f\x6c\x64\x5b\x00\x0d\x63\x61\x63\x68\x65\x64\x43\x6f\x6e\x74\x65\x6e\x74\x74\x00\x02\x5b\x42\x4c\x00\x0b\x63\x6f\x6e\x74\x65\x6e\x74\x54\x79\x70\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x08\x64\x66\x6f\x73\x46\x69\x6c\x65\x74\x00\x0e\x4c\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x46\x69\x6c\x65\x3b\x4c\x00\x09\x66\x69\x65\x6c\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x02\x4c\x00\x07\x68\x65\x61\x64\x65\x72\x73\x74\x00\x2f\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x66\x69\x6c\x65\x75\x70\x6c\x6f\x61\x64\x2f\x46\x69\x6c\x65\x49\x74\x65\x6d\x48\x65\x61\x64\x65\x72\x73\x3b\x4c\x00\x0a\x72\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x71\x00\x7e\x00\x03\x78\x70\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x75\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x02\x68\x69\x70\x71\x00\x7e\x00\x08\x71\x00\x7e\x00\x08\x70\x70\x78';
auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff';
send_t3(sock:sock, data:auth_request);

# read in the response to our bad login request
return_val = recv_t3(sock:sock);
close(sock);

if (isnull(return_val) ||
  "org.apache.commons.fileupload.disk.DiskFileItem cannot be cast to weblogic.rjvm.ClassTableEntry" >!< return_val)
  audit(AUDIT_INST_VER_NOT_VULN, appname, version);

report =
  '\nNessus was able to exploit a Java deserialization vulnerability by' +
  '\nsending a crafted Java object.' +
  '\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);