Vigil@nce: WebLogic, command execution via Node Manager
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can connect to the WebLogic Node
Manager, in order to execute a command located on the system.
Severity: 2/4
Consequences: privileged access/rights
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 25/01/2010
IMPACTED PRODUCTS
– Oracle WebLogic Server
DESCRIPTION OF THE VULNERABILITY
The Node Manager (beasvc.exe) listens on the port 5556/tcp, so the
administrator can manage nodes of the WebLogic domain, via
following instructions:
– start
– shutdown
– getState
– execScript : execute a command
– etc.
Allowed commands for "execScript" are stored in a WebLogic
directory. However, by using "..\..", an attacker can escape from
this directory and execute commands available on the hard disk.
An unauthenticated attacker can therefore connect to the WebLogic
Node Manager, in order to execute a command located on the system.
CHARACTERISTICS
Identifiers: BID-37926, VIGILANCE-VUL-9378
http://vigilance.fr/vulnerability/WebLogic-command-execution-via-Node-Manager-9378