Oracle's PeopleSoft products was traced to the presence of unauthorized remote code execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201786243
Type myhack58
Reporter 佚名
Modified 2017-05-19T00:00:00


Oracle PeopleSoft In a few months ago, I was fortunate enough to get to review Oracle's PeopleSoft solutions the opportunity to review object including PeopleSoft HRMS and PeopleTool. In addition to the few not recorded in the case of CVE addition, the network did not seem to me to provide how much for this type of software attack methods, but ERPScan technical experts in two years ago to publish this presentation touches gave me a lot of valuable information. From the presentation we can clearly understand that PeopleSoft is simply one filled with vulnerability of the container, but currently there is not much about the vulnerabilities of public information only. PeopleSoft applications include a variety of different terminal nodes, of which a large part of the node is not authenticated. In addition, many services just used is still the default password, which is most likely in order to better achieve interoperability only such a design. But the fact that this design is not only very insecure but also very unwise, and this will make PeopleSoft fully exposed to the security threats. In this article, I will introduce to you a XXE vulnerability into to SYSTEM permissions to run the command of General method, almost all of the PeopleSoft version are affected. XXE: access to the local network Currently the product is known in the XXE vulnerability has been there are many, such as CVE-2013-3800 and CVE-2013-3821。 ERPScan in a presentation recorded last exploit sample for CVE-2017-3548, in simple terms, these vulnerabilities will allow us to extract the PeopleSoft and WebLogic console login credentials, but to get to this two console's Shell is no easy task. In addition, since the last XXE vulnerabilities for the Blind-XXE, and therefore we assume that the target network equipped with a firewall software, and added from the local file data extraction difficulty. CVE-2013-3821: integrated gateway HttpListeningConnector XXE POST /PSIGW/HttpListeningConnector HTTP/1.1 Host: Content-Type: application/xml ... ]> & x;


CVE-2017-3548: integrated gateway PeopleSoftServiceListeningConnector XXE POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 Host: Content-Type: application/xml ... Here, we are ready to use these XXE vulnerability to access the localhost of a variety of services, and try to bypass the firewall rules or the identity of the authentication mechanism, but now the problem is how to find a service bound to a local port. In order to solve this problem, we can access the service's home page, and then view the cookie content:

Set-Cookie: SNP2118-51500-PORTAL-PSJSESSIONID=9JwqZVxKjzGJn1s5DLf1t46pz91FFb3p! -1515514079; We can see that the current service is using port 51500 for. In this case, we can through http://localhost:51500/to access the application. Apache Axis Wherein a non-authenticated service is the Apache Axis 1.4 server, where the URL address is http://website. com/pspc/services. Apache Axis allows us in the Java class generated by the WSDL and help the code to build the SOAP endpoint, and with whom to interact. In order to manage the server, we must and AdminService interact. The URL address is as follows: the. In order to let everyone can be better understood, we give below a demo sample. In the following example, an administrator based on java. util. The Random class creates a terminal node: POST /pspc/services/AdminService Host: SOAPAction: something Content-Type: application/xml ... xmlns:api="" xmlns:xsd="" xmlns:soapenv="">

xmlns="" xmlns:java="" xmlns:ns1="">

As a result, the java. util. Random class each public method can be used as a Web service to use. In the following example, we pass a SOAP to call Random. nextInt (): a POST /pspc/services/RandomService Host: SOAPAction: something Content-Type: application/xml ... xmlns:api="" xmlns:xsd="" xmlns:soapenv="">

The response information is as follows: HTTP/1.1 200 OK ... xmlns:soapenv="" xmlns:xsd=""

[1] [2] [3] [4] [5] [6] [7] next