Oracle Business Transaction Management FlashTunnelService WriteToFile Vulnerability

2012-08-17T00:00:00
ID SAINT:B42355A529176064304EEB2FB74B4E18
Type saint
Reporter SAINT Corporation
Modified 2012-08-17T00:00:00

Description

Added: 08/17/2012
BID: 54839

Background

Oracle Business Transaction Management (BTM) is a component of several Oracle Enterprise Manager Management Packs, including WebLogic Server Management Pack Enterprise Edition. Oracle BTM provides capability in three key areas: transaction visibility, performance and SLA management, and exception management.

Problem

Oracle Business Transaction Management 12.1.0.2.7, as delivered with Oracle WebLogic Server 12c (12.1.1), is vulnerable to remote code excecution as a result of a directory traversal vulnerability. Oracle BTM server installs a web service called **FlashTunnelService** which processes incoming SOAP requests without requiring prior authentication. This SOAP interface exposes the **writeToFile** function which could allow a remote attacker to write arbitrary files on the target server by exploiting a directory traversal vulnerability associated with the "handle" property to control the file location. By using the "text" element to control the file contents, an attacker can create an arbitrary JavaServer Pages (JSP) script in the main web server root to execute arbitrary code with the permissions of the WebLogic installation.

Resolution

Apply the patch referenced in the Oracle Critical Patch Update - July 2012.

References

<http://www.exploit-db.com/exploits/20318/>

Limitations

This exploit was tested against Oracle Business Transaction Management 12.1.0.2.7 on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut).

The "Server Examples" component must be installed with Oracle WebLogic.

Platforms

Windows