A WebLogic server vulnerability fastened by the October CPU has come below energetic exploitation after a Vietnamese language weblog submit detailed the steps wanted to bypass authentication and obtain distant code execution on unpatched programs. Though there have been a sequence of actively exploited WebLogic deserialization bugs, the exploit payload on this case instantly grabbed my consideration due to how comparable it’s to vulnerabilities I’ve analyzed in a variety of client and enterprise merchandise.
Per a tweet from @jas502n:
http://x.x.x.x:7001/console/photographs/%252E%252E%252Fconsole.portal
The piece of this which grabbed my consideration is the %252E%252E%252F. If we URL decode this string, the three %25 turn out to be % leaving %2Epercent2Epercent2F. Decoding this worth once more yields ../ which must be acquainted as a listing traversal sample. This URL can be utilized to instantly entry the /console/console.portal useful resource because of a sequence of errors in how the appliance was designed and configured. The online software is making an authorization resolution based mostly on the requested path however it’s doing so with out first absolutely decoding and canonicalizing the trail. The result’s {that a} URL might be constructed to match the sample for a permitted useful resource however finally entry a totally totally different useful resource.
Over time, I’ve seen this vulnerability sample come up in fairly a couple of totally different locations together with merchandise from Netgear, Asus, TrendNET, Ruckus, and Citrix. The primary place I bear in mind seeing this was on Netgear after I realized that my router would deal with any request ending .gif as authenticated. Permitting entry to all of the GIF would usually not be a giant deal however as a result of the net server solely seemed on the requested URI, it may very well be duped by putting ?.gif on the finish.
The authentication handler would approve the request as a result of it ends .gif and cross it alongside to a file handler which then continues parsing the request URI earlier than figuring out which file to serve. This permits for a direct authentication bypass which might then be chained with authenticated command injection flaws I had individually discovered.
The code accountable for this flaw was meant to offer a kind of MIME dealing with in order that recordsdata of various sorts could be streamed and authenticated accordingly. In different circumstances, similar to with Ruckus, I famous that there have been a number of directories from which all requests have been handled as authenticated. Utilizing a plain path traversal like /photographs/../, you possibly can entry authenticated assets and not using a password.
One other approach of that is that we’ve a time-of-check/time-of-use inconsistency when processing request URIs. The trail is checked when the request is obtained however the worth is decoded additional earlier than use creating a possibility for exploitation. The lesson right here for builders hoping to keep away from slipping on this specific banana peel is to ensure that path-based authorization checks are solely ever thought-about in any case transformations have been made to the requested URI.
Detection for CVE-2020-14882 is on the market in ASPL-913 and later.