cbcvebase.
CVE-2016-0492
published 2016-01-21

CVE-2016-0492: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote…

PriorityP275medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
92.72%
99.8th percentile
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing for Web Apps, a different vulnerability than CVE-2016-0488. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a directory traversal vulnerability in the isAllowedUrl function, which allows remote attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication, as demonstrated by olt/Login.do/../../olt/UploadFileUpload.do.

Affected

3 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 4.4.0-222.2554.4.0-222.255
oracleapplication_testing_suite
oracleapplication_testing_suite

Detection & IOCsextracted from sources · hover to see the quote

url/olt/Login.do/../../olt/UploadFileUpload.do
url/olt/Login.do/../../olt/UploadFileUpload.do
port8088
path..\oats\servers\AdminServer\tmp\_WL_user\oats_ee\1ryhnd\war\pages
path../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages
url/olt/pages/webshell.jsp
url/admin/Login.do
url/olt/Login.do/../../olt/UploadFileUpload.do
  • Detect directory traversal authentication bypass by monitoring HTTP requests to paths matching the pattern /olt/Login.do/../../olt/UploadFileUpload.do — traversal sequences after a non-authenticated URI are the bypass mechanism.
  • Alert on multipart/form-data POST requests to /olt/UploadFileUpload.do (or traversal equivalents) containing a 'storage.extension' field set to '.jsp', indicating attempted JSP webshell upload.
  • Monitor for HTTP GET requests to /olt/pages/*.jsp following a POST to UploadFileUpload.do, which indicates webshell execution after a successful upload.
  • Fingerprint vulnerable OATS instances by checking HTTP response bodies for the version string '12.4.0.2.0' on /admin/Login.do.
  • Detect exploitation attempts on TCP port 8088, the default service port for Oracle Application Testing Suite targeted by this exploit.
  • ·The exploit targets OATS versions 12.4.0.2.0 and 12.5.0.2; earlier versions may also be vulnerable but were not confirmed at time of disclosure.
  • ·CVE-2016-0492 (auth bypass) is chained with CVE-2016-0491 (file upload) to achieve full RCE; both CVEs must be considered together for complete remediation and detection coverage.
  • ·The Metasploit module generates a random 8-character alpha JSP filename per session, so static filename-based detection of the webshell will miss most real-world exploitation attempts; use path pattern /olt/pages/*.jsp instead.

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.