WebLogic is a popular enterprise middleware tool that orchestrates the interaction between backend systems and frontend clients. This makes it a valuable tool for attackers, who can exploit it to access and influence a wide range of organizational applications. In this blog post, we explore how to install a persistent backdoor on WebLogic Server. We then show which mitigation steps you can take to protect your systems against these types of attacks.
This blog post is based on a comprehensive research report by Pentera Labs, which you can read here.
WebLogic, developed by Oracle, is a server software application that enables backend (applications, databases, etc.) and frontend clients to interact with each other in the enterprise. Often used in large-scale environments where complex transaction processing, application integration, and multi-tiered networking are required, WebLogic can simultaneously host and run multiple applications for on-premises and cloud enterprises. It also supports database connections.
From an attacker’s perspective, gaining access to WebLogic’s management console has the potential to influence a wide range of servers. This is concerning for several reasons:
Our goal at Pentera Labs was to gain access to WebLogic Server itself, from the outside. Access to WebLogic Server also provides access to the Backend applications it hosts or connects to. Below is a brief outline of the attack we conducted.
1. Our first step was authentication bypass. By using CVE-2020-14883, we were able to get instant access to the administration console.
2. Since the console’s interface was limited, we also used CVE-2020-14882 to create an unauthenticated RCE attack.
3. To effectively benefit from this vulnerability, we needed to use the Shell method or the Remote XML method.
At this point, we had access to the OS of WebLogic Server, which meant we could run any command, if we had the right permissions. We also had full access to WebLogic’s files.
4. The next step was attacking the management console by hacking into the management API. Since the management API required credentials, we needed to obtain them.
WebLogic’s encrypted credentials exist in various places on the host. The two most common places are:
5. To decrypt the credentials, we could choose between a few methods, for example:
6. Now that we had the admin credentials, we were able to access the Management Console.
7. We could then perform any action supported by WebLogic, but we decided to focus on two main tasks.
And that was it! We then had a fully functioning webshell hidden inside an existing application hosted on WebLogic.
Follow these best practices and security measures to safeguard your WebLogic environment and protect against attacks and any backdoors.
Read the entire in-depth report, which includes detailed explanations of all steps as well as code snippets and urls that you can follow and more mitigation practices. Click here.
Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.