Hacker Insights is a series of blog posts meant to provide an understanding of the tools, mindset, methodologies, and history of attackers – from overviews to in-depth technical explanations.
In this installment of Hacker Insights, we’ll take a look into the world of deserialization vulnerabilities, and review the most recent critical deserialization vulnerability in Oracle WebLogic. For context, Serialization refers to a process of converting an object into a different format for storage or processing. The format in which an object is serialized into is often structured text. JSON and XML are two of the most commonly used serialization formats within web applications.
Deserialization is the opposite of serialization, that is, transforming serialized data coming from a file, stream, or network socket into an application object. Deserialization vulnerabilities occur when untrusted or malicious data is deserialized within an application.
On April 25, 2019 security researchers from KnownSec 404 discovered a zero-day vulnerability affecting versions 10.3.6.0 and 12.1.3.0 of Oracle’s popular WebLogic application (CVE-2019-2725). Oracle WebLogic is an application used to deploy enterprise Java EE applications, and it is common to see this application outwardly facing to the internet.
The vulnerability resides within the wls9_async_response.war and wls-wsat.war components of WebLogic. These components are insecure due to a critical deserialization vulnerability that can be used to trigger remote code execution on an affected host. Remote code execution caused by this vulnerability can be performed by an attacker without prior authentication to the application. This means that all internet-facing and unpatched instances of Oracle WebLogic are vulnerable to attack.
Since the announcement of this vulnerability, it has been actively exploited across the internet and is even being used to spread ransomware. Whenever powerful new vulnerabilities emerge, it is common to find new strains of malware developed specifically to work in conjunction with them. This WebLogic zero day has spawned a new piece of ransomware called Sodinokibi, which utilizes PowerShell to download and run the ransomware executable after the initial WebLogic exploit executes. Additionally, a new variation of the Muhstik botnet which performs DDoS and cryptojacking attacks has been identified in the wild, living off of vulnerable WebLogic servers.
The severity of this vulnerability is amplified by the number of WebLogic applications that are exposed to the internet and could potentially be vulnerable. According to Zoomeye.org there were over 36,000 internet facing WebLogic servers at the time this vulnerability was announced, and almost a month later there are still over 32,000 WebLogic servers. If your organization uses hosts application on WebLogic, whether public or internal, it is highly advised to apply the appropriate patch as soon as possible. Given the long history of deserialization vulnerabilities in Java-based platforms including Oracle WebLogic, a long-term solution would be to develop and implement vulnerability and patch management processes specific to Oracle WebLogic and similar technologies.
For more information, questions about this article, or inquiries about OCD Tech services, please contact us.
