Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-2879 PoC — Oracle Fusion Middleware Access Manager组件安全漏洞

Source
https://github.com/AymanElSherif/oracle-oam-authentication-bypas-exploit
Associated Vulnerability
Title:Oracle Fusion Middleware Access Manager组件安全漏洞 (CVE-2018-2879)
Description:Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
Description
Exploit for Oracle Access Manager padding oracle vulnerability (CVE-2018-2879)
Readme
# Oracle Access Manager (OAM) Authentication Bypass Exploit

### Introduction
Exploiting Oracle Access Manager (OAM) padding oracle vulnerability (CVE-2018-2879) to perform authentication bypass and login to any web app protected by OAM using valid username. 
<br /><br />This exploit is based on OAM padding oracle vulnerability discovered by SEC Consult and was tested on OAM v12.2.1.3.0

```
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/
```

### Dependencies

```
pip install urllib3 paddingoracle requests
```
### Syntax
```
# python oam-auth-bypass.py -h
                                                                                                                                                                                                                                                                                 
 $$$$$$\   $$$$$$\  $$\      $$\        $$$$$$\              $$\     $$\                 $$$$$$$\
$$  __$$\ $$  __$$\ $$$\    $$$ |      $$  __$$\             $$ |    $$ |                $$  __$$\
$$ /  $$ |$$ /  $$ |$$$$\  $$$$ |      $$ /  $$ |$$\   $$\ $$$$$$\   $$$$$$$\            $$ |  $$ |$$\   $$\  $$$$$$\   $$$$$$\   $$$$$$$\  $$$$$$$\
$$ |  $$ |$$$$$$$$ |$$\$$\$$ $$ |      $$$$$$$$ |$$ |  $$ |\_$$  _|  $$  __$$\           $$$$$$$\ |$$ |  $$ |$$  __$$\  \____$$\ $$  _____|$$  _____|
$$ |  $$ |$$  __$$ |$$ \$$$  $$ |      $$  __$$ |$$ |  $$ |  $$ |    $$ |  $$ |          $$  __$$\ $$ |  $$ |$$ /  $$ | $$$$$$$ |\$$$$$$\  \$$$$$$\
$$ |  $$ |$$ |  $$ |$$ |\$  /$$ |      $$ |  $$ |$$ |  $$ |  $$ |$$\ $$ |  $$ |          $$ |  $$ |$$ |  $$ |$$ |  $$ |$$  __$$ | \____$$\  \____$$\
 $$$$$$  |$$ |  $$ |$$ | \_/ $$ |      $$ |  $$ |\$$$$$$  |  \$$$$  |$$ |  $$ |$$\       $$$$$$$  |\$$$$$$$ |$$$$$$$  |\$$$$$$$ |$$$$$$$  |$$$$$$$  |
 \______/ \__|  \__|\__|     \__|      \__|  \__| \______/    \____/ \__|  \__|\__|      \_______/  \____$$ |$$  ____/  \_______|\_______/ \_______/
                                                                                                   $$\   $$ |$$ |
                                                                                                   \$$$$$$  |$$ |
                                                                                                    \______/ \__|


                                                                                                OAM Authentication Bypass Exploit
                                                                                                            Developed by: Ayman ElSherif


usage: oam-auth-bypass.py [-h] [-a <agentid>] [-p <prefix>] [-e <Clear-text>]
                          [-d <Cipher-text>] [-i <username>] [-z <authid>]
                          [-c <cookie>] [-v]
                          url

positional arguments:
  url                   URL of a resource protected by OAM (Oracle WebGate)

optional arguments:
  -h, --help            show this help message and exit
  -a <agentid>, --agentid <agentid>
                        Agent ID for Oracle Web Gateway to use
  -p <prefix>, --prefix <prefix>
                        Prefix: a valid base64 encoded encquery value with
                        last block starts with a space character
  -e <Clear-text>, --encrypt <Clear-text>
                        Clear-text value to encrypt
  -d <Cipher-text>, --decrypt <Cipher-text>
                        Cipher-text value to decrypt
  -i <username>, --impersonate <username>
                        Username to create a login cookie for
  -z <authid>, --authid <authid>
                        Authorization ID
  -c <cookie>, --cookie <cookie>
                        A valid OAM authentication cookie
  -v, --verbose         Verbose output



```

### Decrypting OAMAuthnCookie cookie
![Alt text](example/01-decrypt.png?raw=true)
<br />
### Generating OAMAuthnCookie for admin user
![Alt text](example/02-impersonate.png?raw=true)
<br />
### Encrypting new OAMAuthnCookie cookie
![Alt text](example/03-encrypt.png?raw=true)
<br />
File Snapshot

 [4.0K]  /data/pocs/a3186d2a42720dab169652cb56df022a54334255
├── [1.9K]  banner
├── [4.0K]  example
│   ├── [147K]  01-decrypt.png
│   ├── [ 39K]  02-impersonate.png
│   ├── [104K]  03-encrypt.png
│   └── [ 91K]  exploit.png
├── [4.0K]  lib
│   ├── [ 12K]  auth_bypass.py
│   ├── [ 606]  constants.py
│   ├── [   0]  __init__.py
│   ├── [2.3K]  pad_buster.py
│   └── [1010]  util.py
├── [4.1K]  oam-auth-bypass.py
└── [3.9K]  README.md

2 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →