Oracle WebLogic CVE-2018-2628 Remote Code Execution

Authors:Nsfocus Liao Xinxi    Risk:Critical

CVE:CVE-2018-2628            0day:Remote Code Execution

0day-id:0DAY-2628             Date:2018-04-20


Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are,, and Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

Impact version






The first step is to send PoC for testing. The address of the remotely connected server in the PoC is the server used in the second step. The attack IP is the T3 service on port 7001 of The service will unpack the object structure and pass it. A step-by-step readObject goes to port 1099 on the second server requesting maliciously encapsulated code and then popping the calculator locally

The second step is to enable ysoserial.exploit.JRMPListener on the remote server. The JRMPListener will send the payload containing the malicious code back to the requester.

Looking at the WebLogic log, you can see the following error, the calculator has been popped up at this time:


Weblogic has already added blacklists to the Internet’s exposed PoCs. If you want to bypass the limitations of his blacklist, you can only construct it yourself. Take a look at the implementation of resolveProxyClass in InboundMsgAbbrev. The resolveProxyClass handles the RMI interface type. It only judges the java.rmi.registry.Registry. In fact, you can easily find an RMI interface to bypass it.

protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
   String[] arr$ = interfaces;
   int len$ = interfaces.length;

   for(int i$ = 0; i$ < len$; ++i$) {
      String intf = arr$[i$];
      if(intf.equals("java.rmi.registry.Registry")) {
         throw new InvalidObjectException("Unauthorized proxy deserialization");

   return super.resolveProxyClass(interfaces);

In fact, the core part is the JRMP (Java Remote Method Protocol). In this PoC, a RemoteObjectInvocationHandler will be serialized. It will use UnicastRef to set up a TCP connection to the remote to obtain the RMI registry, load it back, and then use readObject to resolve, resulting in deserialization of remote code. carried out.


2017/7/19: Finding problems

2017/11/23: Report to Oracle official

2017/11/29:Oracle official acceptance

2017/11/30:Oracle Official Assigns Bug Number (S0947640), Officially Enters Mainline Version Fix

2017/11/30: Ask for company domain name email

2018/4/14: Assigning CVE, CVE-2018-2628

2018/4/17: Post a patch


Leave a Reply