[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e2e992820912140620l37f6e1b2v618cc60eeb1ee79d@mail.gmail.com>
Date: Mon, 14 Dec 2009 16:20:01 +0200
From: Freddie Vicious <fred.vicious@...il.com>
To: Ofer Maor <ofer.maor@...sp.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hacktics Advisory Dec09: Oracle eBusiness
Suite - Multiple Vulnerabilities Allow Remote Takeover
Very nice findings, good job!
On Mon, Dec 14, 2009 at 4:03 PM, Ofer Maor <ofer.maor@...sp.org> wrote:
> Hacktics Research Group Security Advisory
> http://www.hacktics.com/#details=;view=Resources%7CAdvisory
> By Shay Chen, Hacktics.
> 14-Dec-2009
>
> ===========
> I. Overview
> ===========
> During a penetration test performed by Hacktics' experts, certain
> vulnerabilities were identified in the Oracle eBusiness Suite deployment.
> Further research has identified several vulnerabilities which, combined,
> can
> allow an unauthenticated remote user to take over and gain full control
> over
> the administrative web user account of the Oracle eBusiness Suite.
>
> A friendly formatted version of this advisory, including a video
> demonstrating step-by-step execution of the exploit, is available in:
> http://www.hacktics.com/content/advisories/AdvORA20091214.html
>
> ===============
> II. The Finding
> ===============
> Three separate issues have been identified:
>
> 1. Unauthenticated Guest Access
> -------------------------------
> It is possible for unauthenticated users to access certain pages with guest
> privileges (according to Oracle's security representative - this is a
> standard functionality of this component). While some pages may not be
> directly accessible as a guest in this manner, this can be bypassed by
> taking advantage of the session management behavior in the application.
>
> 2. Authorization Bypass
> -----------------------
> Malicious users can access and manage content of other users, relying on
> the
> lack of access control in the page management interface. Attackers can use
> parameter tampering techniques to directly access the resource identifiers
> of pages owned by other users, and delete or modify their content.
>
> 3. Persistent Cross Site Scripting
> ----------------------------------
> Certain web interfaces in the user's menu management interface enable
> attackers to inject malicious scripts into user-specific content, causing
> the scripts to be executed in the browser of any user viewing the infected
> content (Persistent Cross Site Scripting).
>
> By combining all three vulnerabilities, an unauthenticated attacker can
> initially gain guest access, leverage it to access pages belonging to the
> administrative user, and inject malicious Java-script into their content,
> in
> order to steal session identifiers, which allow taking over the
> administrative user account.
>
> ============
> III. Details
> ============
> 1. Unauthenticated Guest Access
> --------------------------------
> By accessing certain internal pages directly, attackers can cause the
> application to grant them guest access and load certain objects into the
> user's server side session. At this point, the attacker is able to access
> other internal components in the application as the guest user, including
> management services, configuration interfaces and information disclosing
> components, etc.
>
> Unauthenticated attackers can bypass the login phase by directly accessing
> certain internal URLs such as (partial list):
> http://host:port/OA_HTML/OA.jsp
> http://host:port/OA_HTML/RF.jsp
>
> When accessing one of these URLs, the system generates an exception and an
> error is presented to the client. However, as part of the process, the JSP
> code populates the session object of the user with guest privileges. The
> attacker can then access other pages in the systems which allow guest
> operations, such as:
> http://host:port/OA_HTML/AppsChangePassword.jsp
> http://host:port/pls/[DADName]/OracleMyPage.home
> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> 2. Authorization Bypass
> -----------------------
> Various page management URLs in the Oracle eBusiness Suite rely on the
> parameter named [p_page_id] to determine which page to manage. An attacker
> can easily access the page of another user, by simply altering that
> parameter value to a value representing the other's user page. No
> authorization checks are performed to verify the authenticity of the user
> attempting the access.
>
> The following proof-of-concept samples are provided (the [p_page_id] has to
> be associated with a page of a valid user):
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
> &p_page_id=[page_id]
> http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1
>
> 3. Persistent Cross Site Scripting
> ----------------------------------
> Various interfaces under the personal page management interface are
> vulnerable to Persistent Cross Site Scripting:
> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> http://host:port
> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>
> An attacker can inject malicious scripts into the various properties of a
> new or existing page object (via submitted forms).
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
> &p_page_id=[page_id]
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE
>
>
> The injected script will be executed when the user accesses the main URL:
> http://host:port/pls/[DADName]/OracleMyPage.home
>
> It is important to note that our testing has indicated that different
> versions have different mitigation levels of this vulnerability, requiring,
> in some situations, utilizing XSS evasion techniques to overcome certain
> input validation and sanitation mechanisms:
>
> * For earlier versions, injecting a simple <SCRIPT> suffices:
> <SCRIPT>alert('XSS')<SCRIPT>
>
> * Some versions limit the permitted characters, and thus require the tester
> to inset Java-script without utilizing tags, by injecting a script into the
> text box as follows:
> ");alert('XSS');//
>
> * Later versions appear to also enforce server-side length restrictions on
> the vulnerable parameters. As a result, multiple separate injections are
> required to achieve script execution, such as:
> ");/*
> */alert/*
> */(/*
> */'XSS'/*
> */);//
>
> ===========
> IV. Exploit
> ===========
> The exploit is performed by combining the three vulnerabilities, as
> described in the following scenario:
>
> A. Initially, an attacker gains guest access to the system, by first
> accessing:
> http://host:port/OA_HTML/OA.jsp
>
> While an error is generated at this step, the attacker can proceed now to
> the "My Homepage" page, which will now allow guest access:
> http://host:port/pls/[DADName]/OracleMyPage.home
>
> B. The attacker now goes to edit his personal homepage, by accessing the
> "Edit Page List" URL:
> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>
> The attacker then selects his homepage, and clicks Rename (opening the
> following URL):
>
> http://host:port
> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
> &p_page_id=[page_id]
>
> C. The attacker now changes the [p_page_id] to the [p_page_id] of the
> victim's page (as this is an incremental ID, simple trial and error could
> be
> used until the administrator's user page is identified).
>
> D. The attacker then uses the Rename Form to change the name of the page
> from its original name to an embedded script:
>
> ");alert('XSS');//
>
> This script can now be replaced with the relevant payload, for instance, a
> script that steals the session ID and sends it to the attacker.
>
> ===================
> V. Affected Systems
> ===================
> This vulnerability was tested and identified in Oracle eBusiness Suite
> versions 10 and 11.
>
> ==============================
> VI. Vendor's Response/Solution
> ==============================
> Oracle's security alerts group has been notified of this vulnerability in
> early November.
> According to Oracle, the first issue is not a vulnerability - guest access
> is permitted by design. The other two have been acknowledged by Oracle, and
> have been fixed in the Jan-2009 CPU:
>
>
> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
> an2009.html<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj%0Aan2009.html>
>
> It is important to note that the default fix for this vulnerability is a
> script removing this interface (which is now replaced with a new OA
> Framework). Customers unwilling or unable to switch to the new interface,
> should apply patch 7567354 which, according to Oracle, fixes these
> vulnerabilities on the obsolete packages (Hacktics has not performed tests
> to verify this patch).
>
> ===========
> VII. Credit
> ===========
> These vulnerabilities were discovered by:
> Shay Chen, Technical Leader, Security Services, Hacktics.
> Additional Contribution:
> Gil Cohen, Application Security Consultant, Hacktics.
> Oren Hafif, Application Security Consultant, Hacktics.
>
>
> ---
> Ofer Maor
> CTO, Hacktics
> Chairman, OWASP Israel
>
> Web: www.hacktics.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Best wishes,
Freddie Vicious
http://twitter.com/viciousf
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists