For a recent engagement, SecureState performed an external penetration assessment. While the attack described in this blog was not particularly challenging, it was unique with the steps involved to compromise the system. During the pentest, SecureState was given an Oracle Application Server to attack. While reviewing the properties of a page under the “/uddi/demo/” directory, SecureState was able to identify a default admin account. SecureState attempted to log into the website with the discovered username with a password of <username>123. This was successful and SecureState was able to log into the application with admin privileges.
Once successfully logged in, SecureState browsed to the Navigator section and was prompted with the option to create a “new page group”. Once the page wasenabled, SecureState browsed to the properties/configuration tab and allowed the newly created group page to have JSP access. SecureState proceeded to upload a custom JSP web shell. Once this shell was uploaded and operational, SecureState was able to run commands on the underlying operating system.
SecureState then used the “wget” command to download a binary from SecureState’s external server. This binary allowed SecureState to create a reverse TCP connection back to the externally hosted server. With this access, SecureState was able to use the compromised Oracle Application Server as a pivot point into the client’s internal network. The external penetration test quickly turned into an internal penetration assessment. A few internal vulnerabilities later, SecureState was able to achieve an enterprise admin account and collect the trophies for the penetration test.
This is a simple example, but it should serve as a reminder to simply change default credentials. For this assessment, this one vulnerability quickly escalated into SecureState achieving a full internal domain compromise from an external attack point. Weak passwords and default credentials continue to be one of the easiest and most widespread methods of attacks against majority of businesses.