[ERPSCAN-17-042] Anonymous log injection in FSCM

Application: Oracle PeopleSoft
Versions Affected: PeopleSoft FSCM 9.2
Vendor: Oracle
Bug: Anonymous log injection
Reported: 16.03.2017
Vendor response: 17.03.2017
Date of Public Advisory: 18.07.2017
Reference: Oracle CPU July 2017
Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Log injection
Risk: High
Impact: Fraud log events, hiding actions on the system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10148

CVSS Information

CVSS Base Score v3: 5.8 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

An attacker can use a special T3 request to inject special data to log files.

VULNERABLE PACKAGES

PeopleSoft FSCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU July 2017.

TECHNICAL DESCRIPTION

Proof of Concept