Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-2557 - Oracle Application Testing Suite Directory Traversal #11822

Merged
merged 5 commits into from May 24, 2019

Conversation

Projects
None yet
6 participants
@wchen-r7
Copy link
Contributor

commented May 7, 2019

Background

Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing solution for web applications, web services, packaged Oracle applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager.

In the Load Testing component, a vulnerability was discovered by Steven Seeley (@mr_me) of Source Incite in the DownloadServlet class. According to the Source Incite advisory, the issue results from the lack of proper validation of a user-supplied string before using it to read a file. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Note that authentication is required.

This vulnerability is also known as CVE-2019-2557.

Setup

The following is the exact setup I used to test and analyze the vulnerability:

  • Windows Server 2008 R2 x64 (other Windows systems are also supported)
    • .Net Framework 3.5 enabled (from add/remove features)
    • IE ESC (from Server Manager) disabled
    • 8GB of RAM (at least more than 4GB will be used to run OATS)
    • Duel-Core processor
  • oats-win64-full-13.3.0.1.262.zip (x86 did not work for me)
  • Jdk-7u21-windows-x64.exe
  • OracleXE112_Win64.zip (Newer version 18c did not work well for me)
  • Firefox (I had to install this because IE on Win2k8 is completely outdated)
  • Adobe Flash installed (IE ESC needs to be disabled in order to install this)

For installation instructions, please refer to the Oracle Application Testing Suite Installation Guide.

Verification

  • Install OATS by following the instructions above
  • load the Metasploit module
  • Set the rhosts, HttpUsername, and HttpPassword
  • run
  • You should get the oats-config.xml file

@wchen-r7 wchen-r7 changed the title Add CVE-2019-2557 - OATS Directory Traversal Add CVE-2019-2557 - Oracle Application Testing Suite Directory Traversal May 7, 2019

@jhart-r7

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

For context, in recent Sonar studies of port 8088/TCP we found only 15 IPs that appear to be the affected OATS application out of >874k endpoints confirmed to be speaking HTTP. A similar search across all other HTTP/S endpoints yielded 0 OATS instances.

@stevenseeley

This comment has been minimized.

Copy link
Contributor

commented May 10, 2019

For context, in recent Sonar studies of port 8088/TCP we found only 15 IPs that appear to be the affected OATS application out of >874k endpoints confirmed to be speaking HTTP. A similar search across all other HTTP/S endpoints yielded 0 OATS instances.

Oats is designed for internal unit testing, theres no reason this should ever be exposed online. This is more for internal engagements and/or pivoting after getting a foothold from remote type of thing. I will quote Oracle:

Oracle Load Testing provides an easy and accurate way to test the scalability of your e-Business applications

@jrobles-r7 jrobles-r7 self-assigned this May 21, 2019

wchen-r7 and others added some commits May 22, 2019

@jrobles-r7 jrobles-r7 merged commit c36a728 into rapid7:master May 24, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request May 24, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Release Notes

The oats_downloadservlet_traversal module exploits a directory traversal in the Load Testing component of Oracle Application Testing Suite to download a configuration file that includes encrypted credentials. Authentication is required.

msjenkins-r7 added a commit that referenced this pull request May 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.