Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-2950 PoC — Oracle Fusion Middleware和Oracle Business Intelligence Enterprise Edition 安全漏洞

Source
https://github.com/tuo4n8/CVE-2020-2950
Associated Vulnerability
Title:Oracle Fusion Middleware和Oracle Business Intelligence Enterprise Edition 安全漏洞 (CVE-2020-2950)
Description:Oracle Fusion Middleware(Oracle融合中间件)和Oracle Business Intelligence Enterprise Edition都是美国甲骨文(Oracle)公司的产品。Oracle Fusion Middleware是一套面向企业和云环境的业务创新平台。该平台提供了中间件、软件集合等功能。Oracle Business Intelligence Enterprise Edition是一款智能商业分析软件。对企业数据进行可视化分析,从而辅助决策、降低总体拥有成本并
Readme
# Oracle-BI (CVE-2020-2950) 

## AMF deseiralize

> **Version:**  5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0
>
> **Install:**https://www.sql.edu.vn/obiee/oracle-business-intelligence-12c/
>
> **Ref:** https://peterjson.medium.com/cve-2020-2950-turning-amf-deserialize-bug-to-java-deserialize-bug-2984a8542b6f

---

---

## Exploit - PoC

> [amf.bin](https://github.com/tuo4n8/CVE-2020-2950/blob/main/amf.bin)
>
> Header cmd with base64 and child !!

![](README.assets/rce.jpg)

---

## Debug trace bug

URL: `/analytics/jbips/messagebroker/cs/`

- Handle request -> processCall()

![image-20210521104317854](take-note.assets/image-20210521104317854.png)

- Get inputstream -> deserialize AMF package

![image-20210521104423834](take-note.assets/image-20210521104423834.png)

- Get Object AMF -> deserilize

![image-20210521104538758](take-note.assets/image-20210521104538758.png)

![image-20210521104730919](take-note.assets/image-20210521104730919.png)

![image-20210521104755256](take-note.assets/image-20210521104755256.png)

![image-20210521104844150](take-note.assets/image-20210521104844150.png)

- If matching type -> AMF readobject (AMF3DATA.class)

![image-20210521104956342](take-note.assets/image-20210521104956342.png)

- AMF3DATA.class -> AMF3ObjectInput
- In AMF3ObjectInut -> readComplexObject

![image-20210521105409912](take-note.assets/image-20210521105409912.png)

- In readComplexObject: 
  - If class deseriliaze is externalizable -> radExternalchain
  - else setFiled

![image-20210521105523270](take-note.assets/image-20210521105523270.png)

- AMF deserialize  chain -> readExternal Chain
File Snapshot

 [4.0K]  /data/pocs/64844a2b8697f1c34c196ed48493eac0b2607353
├── [3.0K]  amf.bin
├── [4.0K]  lib
│   ├── [ 49K]  cache-api.jar
│   ├── [ 21K]  coherence-discovery.jar
│   ├── [167K]  coherence-hotcache.jar
│   ├── [ 14M]  coherence.jar
│   ├── [240K]  coherence-jcache.jar
│   ├── [4.8K]  coherence-jpa.jar
│   ├── [ 647]  coherence-loadbalancer.jar
│   ├── [189K]  coherence-mock.jar
│   ├── [1.5M]  coherence-rest.jar
│   ├── [233K]  coherence-web.jar
│   ├── [ 33K]  coherence-work.jar
│   ├── [ 53K]  commons-cli-1.4.jar
│   ├── [546K]  commons-collections-3.1.jar
│   ├── [2.7M]  je.jar
│   ├── [262K]  jline.jar
│   ├── [395K]  jsafeFIPS.jar
│   ├── [ 15K]  licenses.txt
│   ├── [ 82K]  webInstaller.jar
│   ├── [1.1K]  wlcipher.jar
│   └── [ 56M]  wlfullclient.jar
├── [  80]  oracle-bi.iml
├── [1.2K]  pom.xml
├── [4.0K]  README.assets
│   └── [ 88K]  rce.jpg
├── [1.6K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       └── [4.0K]  java
│           ├── [5.8K]  AMF.java
│           └── [4.0K]  com
│               └── [4.0K]  tangosol
│                   └── [4.0K]  coherence
│                       └── [4.0K]  servlet
│                           └── [1.0K]  AttributeHolder.java
├── [4.0K]  take-note.assets
│   ├── [146K]  image-20210521104317854.png
│   ├── [109K]  image-20210521104423834.png
│   ├── [ 50K]  image-20210521104538758.png
│   ├── [ 66K]  image-20210521104730919.png
│   ├── [ 36K]  image-20210521104755256.png
│   ├── [ 24K]  image-20210521104844150.png
│   ├── [ 47K]  image-20210521104956342.png
│   ├── [ 67K]  image-20210521105409912.png
│   ├── [ 55K]  image-20210521105523270.png
│   └── [ 88K]  rce.jpg
└── [4.0K]  target
    ├── [4.0K]  classes
    │   ├── [5.4K]  AMF.class
    │   └── [4.0K]  com
    │       └── [4.0K]  tangosol
    │           └── [4.0K]  coherence
    │               └── [4.0K]  servlet
    │                   └── [1.6K]  AttributeHolder.class
    └── [4.0K]  maven-status
        └── [4.0K]  maven-compiler-plugin
            └── [4.0K]  compile
                └── [4.0K]  default-compile
                    ├── [   0]  createdFiles.lst
                    └── [ 159]  inputFiles.lst

20 directories, 41 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.