Oracle EBS - CVE-2022-21587- Remote code execution

  • Updated on Mar 11, 2024
  • Published on Aug 22, 2023
Prev Next

Attack technique

Technique name: Oracle EBS - CVE-2022-21587 - Remote Code Execution

MITRE ATT&CK
Tactic(s): Initial Access, Execution
Technique(s): Exploit Public-Facing Application

Technique description

  • Oracle E-Business Suite (EBS) is a suite of integrated business applications that includes different sets of capabilities in the realms of Enterprise Resource Planning (ERP), Customer relation management (CRM), Supply Chain Management, etc.
  • In 2022, An RCE Vulnerability (CVE-2022-21587) had been identified in Oracle EBS. This vulnerability had been later addressed by Oracle’s Critical Patch.
  • This vulnerability allows an malicious actor to send HTTP Packets including a malicious Zipped payload, taking advantage of Oracle EBS mechanisms to plant a malicious web shell of different types (.pl, .jsp), and to eventually execute a malicious code on the victim server.
  • This Remote Code Execution vulnerability doesn’t require prior authentication by the malicious actor.
  • There are multiple ways to exploit this vulnerability using an upload of malicious web shells (.jsp, .pl). However, the high-level flow shares the following characteristics:
    • The upload of the malicious web shell is involves an upload of a .zip file to the Oracle EBS Server. This .zip file should be encoded in a specific format the Oracle EBS Server expects, and the name of the file should be changed to “.uue”.
    • After the upload of the zip file using the relevant HTTP POST Request, the attacker should send another HTTP Request to execute the web shell and provide the commands he wants to execute. This part can be conducted in different methods, depending on the type of uploaded web shell. The target HTTP Path will mostly include the path of the actual uploaded web shell, or other path that triggers the execution of the uploaded web shell.

Example of one attack flow:

  • Attacker uploaded a malicious .zip file using an HTTP POST Request toward one of the vulnerable endpoints, for example: /OA_HTML/BneOfflineLOVService, using the parameter ?bne:uueupload=TRUE to upload the UUE Encoded Zip file.
  • A .Zip file was written to the following path on disk: /////EBSapps/appl/bne/12.0.0/upload/zoop.zip
  • This .Zip file contained a .jsp web shell, that had been in turn written to disk to the following path:
  • /////FMW_Home/Oracle_EBS-app1/applications/forms/forms/maljsp.jsp
  • HTTP Request toward <http://server-name:>/forms/maljsp.jsp?cmd=
  • To remotely execute arbitrary commands.
Notes
  • This example of attack flow also takes advantage of path traversal vulnerability together with the RCE.
  • It is important to mention that a dedicated patch had been already published by Oracle, and if hadn’t been installed it is highly recommended to do so as soon as possible.

Potential Blind spot of the Threat Hunting Campaign: There is a possibility that some paths specified in the cases in which an attacker exploited the Oracle EBS Vulnerability, combining it with a directory traversal vulnerability won’t be identified by the following Threat Hunting queries.

References
Here are multiple data sources related to the abuse of Oracle EBS RCE Vulnerability:

Note

Hunters’ Team Axon also observed multiple exploitation attempts in the wild, including multiple different web shell payloads (both .pl and .jsp web shells).

Threat hunting theses breakdown

In this Threat Hunting campaign we looked at multiple TTPs/IOCs that are known to be related to Oracle EBS RCE Exploitation, also based on examples we saw in the wild. The campaign included multiple Threat Hunting theses, here is the full breakdown of them:

Thesis 1: HTTP requests toward known Oracle EBS vulnerable paths

Relevant data sources
Main data source: Web Requests Logs
Complementary data sources: -

Thesis explanation
In this hunting thesis we hunted for Web Requests toward known paths which are vulnerable to the Oracle EBS RCE Vulnerability. The paths we were looking for included the following parts in them:

  • %/OA_HTML/BneUploaderService%
  • %/OA_HTML/BneViewerXMLService%
  • %/OA_HTML/BneDownloadService%
  • %/OA_HTML/BneOfflineLOVService%

Those paths can be used by an attacker in order to upload malicious files to the vulnerable server.

Thesis 2: Identification of “.jsp” web shells related to exploitation of Oracle EBS

Relevant data sources
Main data source: EDR Logs
Complementary data sources: -

Thesis explanation
In this hunting thesis we looked for “.jsp” files that were written to a path that suites the following format: %/forms/%.jsp, and also includes the string “EBS” in the path.
In addition, when possible we also looked for Java Classes that were written to a path which includes both of the following strings in it: %jsp_servlet% & %EBS%
Those characteristics were identified as potentially relevant to an exploitation of Oracle EBS RCE in the caes in which the attacker used .jsp web shell.

Blind spots
Specific part of this Hunting thesis had been conducted only against customers with specific EDR Verndors that provided the relevant information as part of their logs.

Thesis 3: Identification of perl web shells related to exploitation of Oracle EBS

Relevant data sources
Main data source: EDR Logs
Complementary data sources: -

Thesis explanation

txkFNDWRR.pl” is a script included in Oracle EBS Servers. In this hunting thesis we looked for “txkFNDWRR.pl” files that don’t align with the format of those files in their benign format (where possible), so an general writing activities of files with this exact name. Identification of such files might indicate of a successful Oracle EBS RCE exploitation and planting of Perl web shell.

Blind spots -

Thesis 4: Identification of HTTP requests toward a UUE upload URL endpoint

Relevant data sources
Main data source: EDR Logs
Complementary data sources: -

Thesis explanation
In this threat hunting thesis we looked at HTTP Requests that originated from organizational assets towards Oracle EBS UUE Upload URL Endpoints (bne:uueupload=TRUE). This had been conducted to detect cases in which external attacker attempted to upload a malicious zip (uue) file to Oracle EBS Server, and lead to an intercommunication between different services on same Oracle EBS Server or 2 different servers.

Blind spots
Hunting based on this thesis had been conducted against customers with specific EDR Verndors that provided the relevant information as part of their logs.

Thesis 5: IOC Sweep - Looking for IOCs witnessed by Team Axon

Relevant data sources
Main data source: Multiple Log Source
Complementary data sources: -

Thesis explanation
In this part of the threat hunting campaign, an IOC Sweep had been conducted against IOCs that had been wintessed by Team Axon. Including specific IP addresses and file hashes.

Blind spots
Specific part of this Hunting thesis had been conducted only against customers with specific EDR Verndors that provided the relevant information as part of their logs.

Recommended investigation flow

The detection of it can be done on different levels, using different log sources. However, the general investigation flow in case of detection of incoming HTTP POST Request with the indication of UUE Upload toward Oracle EBS Server/s (the initial stage of the attack) it is recommended to conduct an EDR-based investigation, focusing on the identification of the following things:

  • ZIP file is written to disk right after the HTTP POST Request
  • writing of a .jsp or .pl file to disk shortly after the writing of the ZIP file on disk.
  • Execution of the relevant .jsp/pl that were uploaded. (potentially after an indication of HTTP Request to the file path to which the relevant web shell had been uploaded).
  • In case an execution of such script was identified, it is recommended to check the hash of it, so as to look for child processes and other activities related to this process (e.g. network events). It is very likely that in cases like this, the script written to disk is a malicious web shell, and it should be carefully investigated.
  • Look for the source IP of relevant HTTP Requests (UUE Upload, and HTTP Requests toward relevant web shells and/or paths associated with the execution of them, toward the victim server). Each of the identified source IPs should be treated as malicious IPs, and it is recommended to also scan for any other activities originating from this IP against any of the organizational assets to identify other potential exploitations.

Threat hunting queries

The following links include threat hunting queries to hunt against Oracle EBS vulnerability.
These queries are among the queries that had been used by Team Axon as part of the threat hunting campaign (with timeframe adjustments).