Summary
An attacker can obtain the JNDI connection name through servlets that leak this information. Due to the weak hardcoded cryptography used by Oracle Opera, it is possible for an attacker to craft encrypted payloads. After the JNDI connection name and encryption elements have been obtained by an attacker, it is possible to exploit an order of operations bug inside the FileReceiver
servlet. This allows attackers to upload arbitrary files to the system, leading to remote command execution. All of the steps required to achieve this can be completed without authentication.
Impact
An attacker can upload a web shell to the Oracle Opera system and execute arbitrary commands. After gaining RCE, it may be possible to laterally escalate privileges on the network.
Affected Software
The following versions are affected by this vulnerability:
- Oracle Hospitality OPERA 5 Property Services 5.6 and below
Product Description
Oracle Hospitality OPERA 5 Sales and Catering is a full-featured customer- and event-management application that seamlessly integrates with OPERA 5 Property Management to simply and efficiently manage hotel events and operations.
Solution
Upgrade to the latest version of Opera. > 5.6.
Oracle’s official advisory can be found here.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
This research was done by Shubham Shah, Sean Yeoh, Brendan Scarvell and Jason Haddix.