CVE-2019-2729 is a Java deserialization vulnerability in Oracle WebLogic versions 10.3.6.0.0, 126.96.36.199.0, and 188.8.131.52.0. Serialized Java objects are accepted anonymously via an HTTP service and deserialized. Remote code execution is possible without authentication.
This exploit was tested against WebLogic 10.3.6.0.
A typical vulnerable server will have HTTP services listening on one or more TCP ports which have a web application at
Generate a payload with ysoserial
First, get ysoserial and use it to generate a simple RCE payload.
Here, we generate a payload using ysoserial, which will do a DNS lookup that we’ll be able to monitor. The
payload file contains a serialized Java
LinkedHashSet object which will run this command.
Note that the ysoserial payload generator used here, named Jdk7u21, only works under JRE version 7u21 and earlier, however that seems to be standard with WebLogic 10.3.6.0. You might have to use a different payload for newer versions of WebLogic. The advantage to Jdk7u21 is the lack of any dependencies in the server’s classpath.
Transform the payload into SOAP
Now, we need to massage this blob into a SOAP HTTP request body. The affected web services accept SOAP requests containing Java objects encoded in Java’s
XMLEncoder format. An example request showing the format:
The payload generated above needs to be stuffed into a
byte array by the server. The following python script will generate the required request body and write it to a file named
Transmit the Payload
Next, send the generated request body to the affected service via a
POST request to
/wls-wsat/CoordinatorPortType. The entire resulting HTTP request should look just like the example above but much longer.
The server will return a 500 response, however you should see your DNS lookup and now have remote command execution.
Hopefully this blog post helps you understand CVE-2019-2729 and how it’s being exploited. Being aware of this and similar vulnerabilities will help you better defend your environment against them.