Oracle WebLogic Deserialization Remote Code Execution
On 21st of April, information regarding a deserialization vulnerability in Oracle WebLogic was published by KnownSec 404 Team. Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation. A quick ZoomEye search reveals that Oracle WebLogic is deployed on over 101,000 servers.
Five days later, Oracle released a security alert CVE-2019-2725 for this vulnerability.
Figure 1 Oracle WebLogic has been deployed on over 101,000 servers
Exploit
The vulnerability lies in the wls9_async and wls-wsat components and affects all WebLogic versions. Security researchers at F5 Networks constantly monitor web traffic at various locations throughout the world. This allows us to detect current threats, and to get an insight into a threat actor’s attack pattern.
Immediately after this vulnerability was first published, we started detecting campaigns by threat actors looking to take advantage of this vulnerability.
Figure 2 One of the malicious requests targeting this vulnerability using an older gadget
Figure 3 Another malicious request targeting this vulnerability using an older gadget
However, in both these campaigns, threat actors were targeting the vulnerable WebLogic component endpoint _async utilizing a known Java deserialization gadget. The same gadgets were also used to execute malicious commands on vulnerable servers by exploiting CVE-2017-10271.
Based on our research, this vulnerability can be exploited using a new gadget. This gadget uses UnitOfWorkChangeSet class to deserialize bytecode of the payload. This bytecode object is then passed to XMLEncoder that tries to create an XML file. Therefore, user defined data which is converted to a bytecode object gets deserialized unsafely that leads to remote code execution.
Figure 4 Sample exploitation request
Figure 5 Invoking calc by exploiting this vulnerability
Mitigating the vulnerability with BIG-IP ASM
To mitigate against this vulnerability, we have released new Server Side Code Injection signatures for WebLogic system to address the new Java deserialization gadget.
- 200004754 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet (Parameter)
- 200004755 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet (Header)
- 200004756 : Java code injection - oracle.toplink.internal.sessions.UnitOfWorkChangeSet
Figure 6 Newly released signature to detect exploitation of this vulnerability
Exploitation attempts that were observed in the wild utilizing the older Java deserialization gadget will be detected by existing Java code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type.
Figure 7 Attack signature for sensitive Java class
Figure 8 Attack signature for Java code injection