Oracle WebLogic Server Remote Code Execution via IIOP/T3 Vulnerability

漏洞信息

漏洞名称： Oracle WebLogic Server Remote Code Execution via IIOP/T3 Vulnerability

漏洞编号：

• CVE： CVE-2020-14644

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： Oracle WebLogic Server是Oracle公司开发的一个企业级Java应用服务器，广泛用于部署和管理大型分布式Web应用、企业应用和云应用。它支持多种协议和服务，包括IIOP和T3，用于远程通信和对象请求代理服务。此次漏洞存在于Oracle Fusion Middleware的核心组件中，影响版本包括12.2.1.3.0、12.2.1.4.0和14.1.1.0.0。

漏洞技术原因为反序列化漏洞，攻击者可以通过网络访问利用IIOP和T3协议，无需任何用户交互即可触发漏洞。由于WebLogic Server在处理某些网络请求时未正确验证输入数据，导致攻击者可以构造恶意请求，执行任意代码。这种漏洞的利用难度低，但影响极为严重。

成功利用此漏洞的攻击者可以完全控制受影响的WebLogic Server，执行任意代码，获取系统权限，进而访问敏感数据，甚至在整个网络基础设施中进行横向移动。由于无需认证即可利用，这使得漏洞的风险等级极高。企业应立即应用Oracle提供的安全补丁，限制对T3/IIOP端口的网络访问，并实施适当的网络分段策略，以减轻潜在的安全威胁。

产品厂商： Oracle

产品名称： WebLogic Server

影响版本： 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

搜索语法： product:”oracle weblogic”, http.title:”oracle weblogic”, port:7001,7002,9001

来源： https://github.com/projectdiscovery/nuclei-templates/blob/64993c2d020cd9994dab47915e6f3540bd1933c1/network%2Fcves%2F2020%2FCVE-2020-14644.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2020-14644

info:
  name: Oracle WebLogic Server - Remote Code Execution via IIOP/T3
  author: pranjalnegi
  severity: critical
  description: |
    Oracle WebLogic Server contains a critical vulnerability in the Core component of Oracle Fusion Middleware.
    The vulnerability affects versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.
    Unauthenticated attackers can exploit this vulnerability through network access via IIOP and T3 protocols.
    The vulnerability allows complete compromise of the Oracle WebLogic Server.
    This is an easily exploitable vulnerability that requires no user interaction.
  impact: |
    Successful exploitation results in complete takeover of the Oracle WebLogic Server.
    Attackers can execute arbitrary code with WebLogic process privileges.
    This can lead to unauthorized data access and system compromise.
    The vulnerability enables lateral movement within the network infrastructure.
    No authentication is required to exploit this vulnerability.
  remediation: |
    Apply the security patches provided by Oracle in the Critical Patch Update (CPU) July 2020.
    Restrict network access to T3/IIOP ports (7001, 7002, 9001) using firewall rules.
    Implement proper network segmentation to isolate WebLogic servers.
    Monitor network traffic for suspicious T3/IIOP protocol communications.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-14644
    - https://www.oracle.com/security-alerts/cpujul2020.html
    - https://github.com/0xkami/cve-2020-14644
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-14644
    cwe-id: CWE-502
    epss-score: 0.97384
    epss-percentile: 0.99904
    cpe: cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: oracle
    product: weblogic_server
    verified: true
    shodan-query:
      - product:"oracle weblogic"
      - http.title:"oracle weblogic"
      - port:7001,7002,9001
    fofa-query: 
      - title="oracle weblogic"
      - port="7001" || port="7002" || port="9001"
    google-query: intitle:"oracle weblogic server"
  tags: cve,cve2020,oracle,weblogic,rce,deserialization,iiop,t3,network,kev,critical

tcp:
  - inputs:
      - data: "t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://{{Hostname}}:{{Port}}\n\n"
    host:
      - "{{Hostname}}"
    port: "7001,7002,9001"
    read-size: 2048
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "HELO:"

      - type: word
        words:
          - "12.2.1.3"
          - "12.2.1.4" 
          - "14.1.1"
        condition: or

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:([0-9.]+)"

  # Test 2: IIOP Protocol Capability Detection
  - inputs:
      - data: "{{hex_decode('474946543839610d00630067007700c4fe000000c000c0c000800080008080000040004000404000008000800080800000c000c000c0c0000040404040800080008080800000c000c000c0c000004040404080008000808080000c000c000c0c00000400040004040000080008000808000000c000c000c0c000004040404080008000808080000c000c000c0c0')}}"
    host:
      - "{{Hostname}}"
    port: "7001,7002,9001"
    read-size: 1024
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "weblogic"
          - "tangosol"
          - "ClassDefinition"
          - "RemoteConstructor"
        condition: or

      - type: regex
        regex:
          - "java\\.rmi\\."
          - "javax\\.naming\\."
          - "weblogic\\.cluster"
        condition: or

      - type: word
        words:
          - "CORBA"
          - "IIOP"
          - "NameService"
        condition: or

  # Test 3: T3S Protocol Test (SSL)
  - inputs:
      - data: "t3s 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3s://{{Hostname}}:{{Port}}\n\n"
    host:
      - "tls://{{Hostname}}"
    port: "7002,7001"
    read-size: 1024
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "HELO:"

      - type: word
        words:
          - "12.2.1.3"
          - "12.2.1.4"
          - "14.1.1"
        condition: or

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "HELO:([0-9.]+)"

# digest: 4a0a00473045022100a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef02201234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef:922c64590222798bb761d5b6d8e72950