Immunity, Inc.
Name weblogic_t3_deserialization
CVE CVE-2015-4852
Exploit Pack CANVAS
Descriptionweblogic_t3_deserialization
NotesCVE Name: CVE-2015-4852
VENDOR: Oracle
NOTES:
IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK.


Weblogic's AdminServer servlet allows remote administration (often unauthenticated) via the
proprietary T3 protocol. This protocol is similar to RMI in the sense that it depends on the exchange
of serialized Java objects that are then re-serialized. Apache Commons pre-3.2.2 allows users to
serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which
is capable of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.

Version support:
Installer did not support the JVM version unless marked otherwise.
> Ubuntu Linux 14.04.3 - x86
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED
- 12.2.1 on Java SE 8 ()
- 12.1.2 on Java SE 7 / 8
- 12.1.3 on Java SE 7 / 8
> Windows 7 Ultimate SP 1 x86
- 12.1.3 on Java SE 8 - FAILED
- 12.1.3 on Java SE 7
- 12.1.2 on Java SE 7
- 12.2.1 on Java SE 8 - FAILED
- 12.2.1 on Java SE 6 - Installer does not support Java version
- 12.2.1 on Java SE 7 - Installer does not support Java version
- 10.3.6 on Java SE 6
- 10.3.6 on JRockit 1.6 - NOT SUPPORTED


Repeatability: One Shot
References: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread', 'http://www.oracle.com/technetwork/topcis/security/alert-cve-2015-4852-2763333.html', 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7501']
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852

Learn more about the CANVAS Exploit Pack here: CANVAS