CVE-2016-0492
published 2016-01-21CVE-2016-0492: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote…
PriorityP275medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
92.72%
99.8th percentile
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing for Web Apps, a different vulnerability than CVE-2016-0488. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a directory traversal vulnerability in the isAllowedUrl function, which allows remote attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication, as demonstrated by olt/Login.do/../../olt/UploadFileUpload.do.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 4.4.0-222.255 | 4.4.0-222.255 |
| oracle | application_testing_suite | — | — |
| oracle | application_testing_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal authentication bypass by monitoring HTTP requests to paths matching the pattern /olt/Login.do/../../olt/UploadFileUpload.do — traversal sequences after a non-authenticated URI are the bypass mechanism. ↗
- →Alert on multipart/form-data POST requests to /olt/UploadFileUpload.do (or traversal equivalents) containing a 'storage.extension' field set to '.jsp', indicating attempted JSP webshell upload. ↗
- →Monitor for HTTP GET requests to /olt/pages/*.jsp following a POST to UploadFileUpload.do, which indicates webshell execution after a successful upload. ↗
- →Fingerprint vulnerable OATS instances by checking HTTP response bodies for the version string '12.4.0.2.0' on /admin/Login.do. ↗
- →Detect exploitation attempts on TCP port 8088, the default service port for Oracle Application Testing Suite targeted by this exploit. ↗
- ·The exploit targets OATS versions 12.4.0.2.0 and 12.5.0.2; earlier versions may also be vulnerable but were not confirmed at time of disclosure. ↗
- ·CVE-2016-0492 (auth bypass) is chained with CVE-2016-0491 (file upload) to achieve full RCE; both CVEs must be considered together for complete remediation and detection coverage. ↗
- ·The Metasploit module generates a random 8-character alpha JSP filename per session, so static filename-based detection of the webshell will miss most real-world exploitation attempts; use path pattern /olt/pages/*.jsp instead. ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h7fm-w82j-f8mp: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12
ghsa_unreviewed·2022-05-17·CVSS 6.4
CVE-2016-0492 [MEDIUM] GHSA-h7fm-w82j-f8mp: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing for Web Apps, a different vulnerability than CVE-2016-0488. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a directory traversal vulnerability in the isAllowedUrl function, which allows remote attackers to bypass authentication via directory traversal sequences following a URI entry that does not require authentication, as demonstrated by olt/Login.do/../../olt/UploadFileUpload.do.
GHSA
GHSA-6x37-w983-2c56: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12
ghsa_unreviewed·2022-05-17·CVSS 6.4
CVE-2016-0488 [MEDIUM] GHSA-6x37-w983-2c56: Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing for Web Apps, a different vulnerability than CVE-2016-0492. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a directory traversal vulnerability in the isAllowedUrl function in the admin pages, which allows remote attackers to bypass authentication and gain administrator access via directory traversal sequences following a URI entry that does not require authentication.
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
osv·2022-03-22·CVSS 7.8
CVE-2022-0492 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the
Linux kernel did not properly restrict access to the cgroups v1
release_agent feature. A local attacker could use this to gain
administrative privileges. (CVE-2022-0492)
It was discovered that the aufs file system in the Linux kernel did not
properly restrict mount namespaces, when mounted with the non-default
allow_userns option set. A local attacker could use this to gain
administrative privileges. (CVE-2016-2853)
It was discovered that the aufs file system in the Linux kernel did not
properly maintain POSIX ACL xattr data, when mounted with the non-default
allow_userns option. A local attacker could possibly use this to gain
elevated privileges. (CVE
No detection rules found.
Exploit-DB
Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
exploitdb·2016-05-25
CVE-2016-0492 Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Oracle ATS Arbitrary File Upload',
'Description' => %q{
This module exploits an authentication bypass and arbitrary file upload
in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
unknown earlier versions, to upload and execute a JSP shell.
},
'Author' => [
'Zhou Yu', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-0492}, # Auth bypass
%w{CVE 2016-0491}, # File upload
%w{EDB 39691} # PoC
],
'DisclosureDate' => 'Jan 20 2016',
'License' => MSF_LICENSE,
'Platform' => %w{win linux},
'Arch' => ARCH_JAVA,
'Privi
Exploit-DB
Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
exploitdb·2016-04-13·CVSS 6.4
CVE-2016-0492 [MEDIUM] Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
Oracle Application Testing Suite (ATS) 12.4.0.2.0 - Authentication Bypass / Arbitrary File Upload
---
# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
# Exploit Author: Zhou Yu
# Vendor Homepage: http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn
# Version: 12.4.0.2.0
# Tested on: Win7 SP1 32-bit
# CVE : CVE-2016-0492 and CVE-2016-0491
import urllib2
import urllib
ip = '192.168.150.239'
port = 8088
url = "http://" + ip + ":" + str(port)
#bypass authentication
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
request = urllib2.Request(url)
webshell_content='''
'''
boundary = "---------------------------7e01e2240a1e"
request
No writeups or analysis indexed.
http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_uploadhttp://www.securityfocus.com/bid/81158http://www.securitytracker.com/id/1034734http://www.zerodayinitiative.com/advisories/ZDI-16-042https://www.exploit-db.com/exploits/39691/https://www.exploit-db.com/exploits/39852/http://packetstormsecurity.com/files/137175/Oracle-ATS-Arbitrary-File-Upload.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_uploadhttp://www.securityfocus.com/bid/81158http://www.securitytracker.com/id/1034734http://www.zerodayinitiative.com/advisories/ZDI-16-042https://www.exploit-db.com/exploits/39691/https://www.exploit-db.com/exploits/39852/
2016-01-21
Published