Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Description

Oracle Weblogic 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability. This occurs when an attacker serializes a "ForeignOpaqueReference" class object, deserializes it on the target, and then post deserialization, calls the object's "getReferent()" method, which will make use of the "ForeignOpaqueReference" class's "remoteJNDIName" variable, which is under the attackers control, to do a remote loading of the JNDI address specified by "remoteJNDIName" via the "lookup()" function. This can in turn lead to a deserialization vulnerability whereby an attacker supplies the address of a HTTP server hosting a malicious Java class file, which will then be loaded into the Oracle Weblogic process's memory and an attempt to create a new instance of the attacker's class will be made. Attackers can utilize this to execute arbitrary Java code during the instantiation of the object, thereby getting remote code execution as the "oracle" user. This module exploits this vulnerability to trigger the JNDI connection to a LDAP server we control. The LDAP server will then respond with a remote reference response that points to a HTTP server that we control, where the malicious Java class file will be hosted. Oracle Weblogic will then make a HTTP request to retrieve the malicious Java class file, at which point our HTTP server will serve up the malicious class file and Oracle Weblogic will instantiate an instance of that class, granting us RCE as the "oracle" user. This vulnerability was exploited in the wild as noted by KEV on May 1st 2023: https://www.fortiguard.com/outbreak-alert/oracle-weblogic-server-vulnerability

Author(s)

• 4ra1n
• 14m3ta7k
• Grant Willcox