CVE-2017-10271 BYPASS

[syriusbughunt]

Hi Kevin!

Hope you are doing well :) I was wondering if u could add support for CVE-2017-10271 bypass that just got out (see https://github.com/jas502n/CNVD-C-2019-48814). The bug is with

http://localhost:7001/_async/

Any help or suggestions would be very appreciated,

Thanks

[syriusbughunt]

Hey @kkirsche :)

Happy to see you just re-opened this one; After some research it seems like most of ALL PoCs out there available to public are "FAKE" PoCs since it doesn't really bypasses the patch of CVE-2017-10271. Technical details are available: https://paper.seebug.org/910/

Unfortunately, the juicy part where the golden payload that bypasses the patch and blacklisted tags is blurred. Maybe with your talented pentesting eyes you could see it ;)

Another one; https://github.com/jas502n/CNVD-C-2019-48814/blob/master/burpsuite.jpg

Any help on this one would be very appreciated since I believe lot of us would like to reproduce in our environment if our servers are vulnerable to this.

Thanks.

[kkirsche]

No worries. Let me see what I can figure out. :) thanks for sharing!

[syriusbughunt]

Real PoC for CVE-2019-2725;

https://raw.githubusercontent.com/hanc00l/some_pocsuite/master/weblogic-async_all_rce.py

Note that this PoC is using "oracle.toplink.internal.sessions.UnitOfWorkChangeSet" which only affects WebLogic 10. and not 12..

The class that affects both versions are: "com.sun.rowset.JdbcRowSetImpl" (RMI) "org.slf4j.ext.EventData"

Let me know if you need any more details :)

Thanks.

[syriusbughunt]

Update: another class (universal) would be "com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext". I can get my local WebLogic server downloading the file "rce.xml" but now the challenge I am facing is having a correct "rce.xml" that can execute 'calc.exe'.

[kkirsche]

https://www.exploit-db.com/exploits/46814 is out as well.

Will work on this after this week (have a test for my masters degree classes)