Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-2879 PoC — Oracle Fusion Middleware Access Manager组件安全漏洞

Source
https://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploit
Associated Vulnerability
Title:Oracle Fusion Middleware Access Manager组件安全漏洞 (CVE-2018-2879)
Description:Oracle Fusion Middleware(Oracle融合中间件)是美国甲骨文(Oracle)公司的一套面向企业和云环境的业务创新平台,该平台提供了中间件、软件集合等功能。Access Manager是其中的一个访问管理组件。 Oracle Fusion Middleware中的Access Manager组件11.1.2.3.0版本和12.2.1.3.0版本的Authentication Engine子组件存在安全漏洞。攻击者可利用该漏洞控制组件,影响数据的可用性、保密性和完整性。
Description
Exploit for Oracle Access Manager padding oracle vulnerability (CVE-2018-2879)
Readme
# Oracle Access Manager (OAM) Authentication Bypass Exploit

### Introduction
Exploiting Oracle Access Manager (OAM) padding oracle vulnerability (CVE-2018-2879) to perform authentication bypass and login to any web app protected by OAM using valid username. 
<br /><br />This exploit is based on OAM padding oracle vulnerability discovered by SEC Consult and was tested on OAM v12.2.1.3.0

```
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/
```

### Dependencies

```
pip install urllib3 paddingoracle requests
```
### Syntax
```
# python oam-auth-bypass.py -h
                                                                                                                                                                                                                                                                                 
 $$$$$$\   $$$$$$\  $$\      $$\        $$$$$$\              $$\     $$\                 $$$$$$$\
$$  __$$\ $$  __$$\ $$$\    $$$ |      $$  __$$\             $$ |    $$ |                $$  __$$\
$$ /  $$ |$$ /  $$ |$$$$\  $$$$ |      $$ /  $$ |$$\   $$\ $$$$$$\   $$$$$$$\            $$ |  $$ |$$\   $$\  $$$$$$\   $$$$$$\   $$$$$$$\  $$$$$$$\
$$ |  $$ |$$$$$$$$ |$$\$$\$$ $$ |      $$$$$$$$ |$$ |  $$ |\_$$  _|  $$  __$$\           $$$$$$$\ |$$ |  $$ |$$  __$$\  \____$$\ $$  _____|$$  _____|
$$ |  $$ |$$  __$$ |$$ \$$$  $$ |      $$  __$$ |$$ |  $$ |  $$ |    $$ |  $$ |          $$  __$$\ $$ |  $$ |$$ /  $$ | $$$$$$$ |\$$$$$$\  \$$$$$$\
$$ |  $$ |$$ |  $$ |$$ |\$  /$$ |      $$ |  $$ |$$ |  $$ |  $$ |$$\ $$ |  $$ |          $$ |  $$ |$$ |  $$ |$$ |  $$ |$$  __$$ | \____$$\  \____$$\
 $$$$$$  |$$ |  $$ |$$ | \_/ $$ |      $$ |  $$ |\$$$$$$  |  \$$$$  |$$ |  $$ |$$\       $$$$$$$  |\$$$$$$$ |$$$$$$$  |\$$$$$$$ |$$$$$$$  |$$$$$$$  |
 \______/ \__|  \__|\__|     \__|      \__|  \__| \______/    \____/ \__|  \__|\__|      \_______/  \____$$ |$$  ____/  \_______|\_______/ \_______/
                                                                                                   $$\   $$ |$$ |
                                                                                                   \$$$$$$  |$$ |
                                                                                                    \______/ \__|


                                                                                                OAM Authentication Bypass Exploit
                                                                                                            Developed by: Ayman ElSherif


usage: oam-auth-bypass.py [-h] [-a <agentid>] [-p <prefix>] [-e <Clear-text>]
                          [-d <Cipher-text>] [-i <username>] [-z <authid>]
                          [-c <cookie>] [-v]
                          url

positional arguments:
  url                   URL of a resource protected by OAM (Oracle WebGate)

optional arguments:
  -h, --help            show this help message and exit
  -a <agentid>, --agentid <agentid>
                        Agent ID for Oracle Web Gateway to use
  -p <prefix>, --prefix <prefix>
                        Prefix: a valid base64 encoded encquery value with
                        last block starts with a space character
  -e <Clear-text>, --encrypt <Clear-text>
                        Clear-text value to encrypt
  -d <Cipher-text>, --decrypt <Cipher-text>
                        Cipher-text value to decrypt
  -i <username>, --impersonate <username>
                        Username to create a login cookie for
  -z <authid>, --authid <authid>
                        Authorization ID
  -c <cookie>, --cookie <cookie>
                        A valid OAM authentication cookie
  -v, --verbose         Verbose output



```

### Decrypting OAMAuthnCookie cookie
![Alt text](example/01-decrypt.png?raw=true)
<br />
### Generating OAMAuthnCookie for admin user
![Alt text](example/02-impersonate.png?raw=true)
<br />
### Encrypting new OAMAuthnCookie cookie
![Alt text](example/03-encrypt.png?raw=true)
<br />
File Snapshot

 [4.0K]  /data/pocs/a3186d2a42720dab169652cb56df022a54334255
├── [1.9K]  banner
├── [4.0K]  example
│   ├── [147K]  01-decrypt.png
│   ├── [ 39K]  02-impersonate.png
│   ├── [104K]  03-encrypt.png
│   └── [ 91K]  exploit.png
├── [4.0K]  lib
│   ├── [ 12K]  auth_bypass.py
│   ├── [ 606]  constants.py
│   ├── [   0]  __init__.py
│   ├── [2.3K]  pad_buster.py
│   └── [1010]  util.py
├── [4.1K]  oam-auth-bypass.py
└── [3.9K]  README.md

2 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.