cbcvebase.
CVE-2016-0491
published 2016-01-21

CVE-2016-0491: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote…

PriorityP267medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
80.75%
99.6th percentile
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for Web Apps. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that the UploadFileAction servlet allows remote authenticated users to upload and execute arbitrary files via an * (asterisk) character in the fileType parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
oracleapplication_testing_suite
oracleapplication_testing_suite

Detection & IOCsextracted from sources · hover to see the quote

port8088
url/olt/Login.do/../../olt/UploadFileUpload.do
url/olt/pages/webshell.jsp
path../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages
path..\oats\servers\AdminServer\tmp\_WL_user\oats_ee\1ryhnd\war\pages
url/admin/Login.do
  • Detect authentication bypass via path traversal in POST requests to the UploadFileUpload.do servlet using the pattern /olt/Login.do/../../olt/UploadFileUpload.do
  • Flag multipart POST requests to UploadFileUpload.do where the 'fileType' parameter contains a literal asterisk (*), which bypasses file extension restrictions
  • Alert on HTTP GET requests to /olt/pages/*.jsp following a POST to UploadFileUpload.do, indicating JSP webshell execution
  • Check for version string '12.4.0.2.0' in the body of responses from /admin/Login.do to identify vulnerable OATS instances
  • Monitor for JSP files written under the WebLogic temp deployment path _WL_user/oats_ee/1ryhnd/war/pages, which is the target drop directory for the webshell
  • Successful exploitation results in process running as 'nt authority\system'; monitor for OATS server processes spawning child shells with that privilege level
  • ·The exploit chains CVE-2016-0492 (authentication bypass via path traversal) with CVE-2016-0491 (arbitrary file upload); both CVEs must be present for the full attack chain to succeed
  • ·Confirmed affected version is 12.4.0.2.0; earlier versions may also be vulnerable but were not tested
  • ·The PoC was tested on Win7 SP1 32-bit; the Metasploit module also supports Linux targets with a different directory traversal path
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.