Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis)

  • First part: call the requestHandler.process() to parse, validate incoming XML data
  • Second part: call the PBLFlowManager.delegateToMasterController() to handle the logic feature of current request
<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?><RequestSet vers=”vers123" svcid=”session” reqid=”req_1”><Request dtdid=”dtd1" sid=”sid1">Data</Request></RequestSet>
  • NamingService with svcid: com.iplanet.am.naming
  • AuthXMLHandler with svcid: auth
  • SessionRequestHandler with svcid: session
  • PolicyXMLHandler with svcid: policy

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store