Oracle WebLogic Node Manager allows arbitrary configuration via UNC path

Critical Risk Advisory Featured

Share

Patch Date

January 18, 2011
Oracle - Critical Patch Update for January 2011

Firewall rules should also be implemented to restrict the use of UNC paths on the Node Manager server as well as restricting access to the Node Manager service to only trusted sources.

Reported Date

May 20, 2010 - Submitted to CERT/CC

Vendor

Oracle Corporation

Systems Affected

Oracle WebLogic Node Manager version 10.3.3 (and earlier versions)

Summary

Oracle WebLogic Node Manager 10.3.3 and earlier versions contain a remote file inclusion vulnerability. This vulnerability could allow a remote attacker to execute arbitrary commands on an affected system.

Vendor Status

Oracle is aware of the issue, and has resolved it in their January 2011 security patches.

Exploit Availability

No exploit is required to target this vulnerability. An unauthenticated attacker can connect to the Node Manager service and set the configuration file location to a remote UNC path controlled by the attacker. The configuration file specifies the location of the password file, which can also be located on a UNC path controlled by the attacker. After the attacker has authenticated with their own password file they can use built in Node Manager features to execute commands on the Node Manager server.

Researcher

Carl Livitt of Bishop Fox

Vulnerability Details

Oracle WebLogic Node Manager 10.3.3 and earlier versions contain a remote file inclusion vulnerability. This vulnerability could allow a remote attacker to execute arbitrary commands on an affected system.

Node Manager is a WebLogic Server utility that enables you to start, shut down, and restart Administration Server and Managed Server instances from a remote location. An unauthenticated attacker has the ability to set the configuration file via UNC path.

An unauthenticated attacker can connect to the Node Manager service and set the configuration file location to a remote UNC path controlled by the attacker. The configuration file specifies the location of the password file, which can also be located on UNC path controlled by the attacker. After the attacker has authenticated with their own password file they can use built in Node Manager features to execute commands on the Node Manager server.

Workaround

Firewall rules should also be implemented to restrict the use of UNC paths on the Node Manager server as well as restricting access to the Node Manager service to only trusted sources.

References

  • CERT VU: 924300: Vulnerability Note VU#924300 - Oracle WebLogic Node Manager allows arbitrary configuration via UNC path
  • Security Focus - ID: 43931: Oracle WebLogic Server Node Manager UNC Path Remote Security Vulnerability
  • OSVDB ID: 68954: Oracle WebLogic Node Manager Service Arbitrary File Access
  • SA41822: Oracle WebLogic Node Manager File Inclusion Vulnerability

Carl livitt

About the author, Carl Livitt

Principal Researcher

Carl Livitt is a Principal Researcher at Bishop Fox. He has decades of experience in mobile and application security, hardware and embedded devices, reverse engineering, and global-scale penetration testing.

Carl is credited with the discovery of many vulnerabilities within both commercial and open-source software. He was brought in as a third-party expert to lead the team that confirmed several security issues with St. Jude Medical implantable devices. His work eventually led to an official communication from the FDA.

Carl has served as a contributing author to Hacking Exposed Web Applications 3rd Edition as well as a technical advisor for Network Security Assessment 1st Edition. He has been interviewed on NPR and quoted in publications including USA Today and eWeek. Carl co-authored the iOS reverse engineering framework iSpy, which was featured at Black Hat USA's Tools Arsenal.

More by Carl

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.