Oracle Business Transaction Management (BTM) is a component of several Oracle Enterprise Manager Management Packs, including WebLogic Server Management Pack Enterprise Edition. Oracle BTM provides capability in three key areas: transaction visibility, performance and SLA management, and exception management.
Oracle Business Transaction Management 184.108.40.206.7, as delivered with Oracle WebLogic Server 12c (12.1.1), is vulnerable to remote code excecution as a result of a directory traversal vulnerability. Oracle BTM server installs a web service called
**FlashTunnelService** which processes incoming SOAP requests without requiring prior authentication. This SOAP interface exposes the
**writeToFile** function which could allow a remote attacker to write arbitrary files on the target server by exploiting a directory traversal vulnerability associated with the "handle" property to control the file location. By using the "text" element to control the file contents, an attacker can create an arbitrary JavaServer Pages (JSP) script in the main web server root to execute arbitrary code with the permissions of the WebLogic installation.
Apply the patch referenced in the Oracle Critical Patch Update - July 2012.
This exploit was tested against Oracle Business Transaction Management 220.127.116.11.7 on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut).
The "Server Examples" component must be installed with Oracle WebLogic.