Miracle - One Vulnerability To Rule Them All

me and Jang trying to pwn Oracle :D

# Introduction

# Summary

# The Story

# The start of the journey

https://www.zerodayinitiative.com/advisories/published/
  1. Oracle ADF Faces Deserialization of Untrusted Data Leads Remote Code Execution — CVE-2022–21445
servlet mappings
org.apache.myfaces.trinidad.webapp.ResourceServlet.doGet()
org.apache.myfaces.trinidad.resource.ResourceLoader.getResource()
oracle.adfinternal.view.resource.rich.RemoteApplicationResourceLoader
oracle.adfinternal.view.resource.rich.RemoteApplicationResourceLoader._getPathBean()
oracle.adfinternal.view.rich.remote.resources.URLEncoderPathBean.getInstanceFromString()
oracle.adf.view.rich.util.SerializationUtils.fromURLEncodingString()

# Exploring more affected products

  • Oracle Business Intelligence
  • Oracle Enterprise Manager
  • Oracle Identity Management
  • Oracle SOA Suite
  • Oracle WebCenter Portal
  • Oracle Application Testing Suite
  • Oracle Transportation Management

# Pre-auth SSRF (CVE-2022–21497) + ADF Faces Deserialization leads to pre-auth RCE in OAM

oracle.security.fed.security.crypto.engine.impl.SAML20XmlCryptoEngine.processIncoming()
oracle.security.fed.security.crypto.enc.DomXmlDecrypter.getDecryptionKey()
oracle.security.xmlsec.dsig.ObjectReference.dereference()
Soap Based SAML request to http://HOST:PORT/oamfed/idp/soap/

# Universal gadget chain for 10.3.x

  • GenericClassLoader > FilteringClassLoader > GenericClassLoader > Launcher$AppClassLoader
  • We have a insecure deserialization from the OAM / ADF application context without any restriction
  • Most of Weblogic 10.3.6 libraries and Coherence.jar are loaded into classpath.

# The patch

original
the patch

# Exploiting Oracle Online Systems

edelivery.oracle.com
businessnetwork.oracle.com
login.oracle.com

# Timeline

  • 25/10/2021, We sent first report to Oracle
  • 29/10/2021, The issues were accepted by Oracle and they were investigating
  • 02/11/2021, We sent second report to Oracle about the exploit affect 10.3.x version
  • 18/01/2022, Oracle fix the first pre-auth RCE in OAM found by Jang in January Critical Patch
  • 19/04/2022, Oracle fix the ADF Faces vulnerability in April Critical Patch
  • 23/06/2022, We published this blog

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store