JOLTandBLEED Details and PoC
On November 15, 2017, Oracle published urgent critical updates related to JOLTandBLEED vulnerability (CVE 2017-10269). Today we released its proof of concept. As you remember, this vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:
- Oracle PeopleSoft Campus Solutions
- Oracle PeopleSoft Human Capital Management
- Oracle PeopleSoft Financial Management
- Oracle PeopleSoft Supply Chain Management, etc.
The root of the problem is how Jolt server handler (JSH) manages a packet with opcode 0x32. When using this flaw, the attacker can get access to an internal memory of Tuxedo middleware.
There is a jolt server handler (JSH) function called jsh_msgrcv that deals with messages processing inside the service. There, we can find two block codes with generating responses to a client’s invalid query.
The code that you see above is intended to do the following: by the error code, the “__gp_gets” function gets its text description. The “userlog” function records this message in the server log (TUXLOG). Then the “htoji” function packs the size of the generated message in a special way. A programmer supposed that the size of the message would be 0x40 (64) and 0x9c (156) bytes accordingly. However, it was “htoji” that packed data in a “big-endian” format, not in “ittleendian”, as a developer suggested. As a result, the parameters were 0x40000000 and 0x9c000000, that is 1073741824 and 2617245696 in the decimal notation. Further, these parameters are used as a size of transmitting data with “send” function, that consequently leads to the fact that we can read the internal memory of the application via network.
As you probably noted, there are two packages with 0x32 and 0x64 opcodes, and this issue occurs with their processing.
Please do not test this PoC on your production servers. Have a nice day.