Very nice findings, good job! On Mon, Dec 14, 2009 at 4:03 PM, Ofer Maor <ofer.m...@owasp.org> wrote:
> Hacktics Research Group Security Advisory > http://www.hacktics.com/#details=;view=Resources%7CAdvisory > By Shay Chen, Hacktics. > 14-Dec-2009 > > =========== > I. Overview > =========== > During a penetration test performed by Hacktics' experts, certain > vulnerabilities were identified in the Oracle eBusiness Suite deployment. > Further research has identified several vulnerabilities which, combined, > can > allow an unauthenticated remote user to take over and gain full control > over > the administrative web user account of the Oracle eBusiness Suite. > > A friendly formatted version of this advisory, including a video > demonstrating step-by-step execution of the exploit, is available in: > http://www.hacktics.com/content/advisories/AdvORA20091214.html > > =============== > II. The Finding > =============== > Three separate issues have been identified: > > 1. Unauthenticated Guest Access > ------------------------------- > It is possible for unauthenticated users to access certain pages with guest > privileges (according to Oracle's security representative - this is a > standard functionality of this component). While some pages may not be > directly accessible as a guest in this manner, this can be bypassed by > taking advantage of the session management behavior in the application. > > 2. Authorization Bypass > ----------------------- > Malicious users can access and manage content of other users, relying on > the > lack of access control in the page management interface. Attackers can use > parameter tampering techniques to directly access the resource identifiers > of pages owned by other users, and delete or modify their content. > > 3. Persistent Cross Site Scripting > ---------------------------------- > Certain web interfaces in the user's menu management interface enable > attackers to inject malicious scripts into user-specific content, causing > the scripts to be executed in the browser of any user viewing the infected > content (Persistent Cross Site Scripting). > > By combining all three vulnerabilities, an unauthenticated attacker can > initially gain guest access, leverage it to access pages belonging to the > administrative user, and inject malicious Java-script into their content, > in > order to steal session identifiers, which allow taking over the > administrative user account. > > ============ > III. Details > ============ > 1. Unauthenticated Guest Access > -------------------------------- > By accessing certain internal pages directly, attackers can cause the > application to grant them guest access and load certain objects into the > user's server side session. At this point, the attacker is able to access > other internal components in the application as the guest user, including > management services, configuration interfaces and information disclosing > components, etc. > > Unauthenticated attackers can bypass the login phase by directly accessing > certain internal URLs such as (partial list): > http://host:port/OA_HTML/OA.jsp > http://host:port/OA_HTML/RF.jsp > > When accessing one of these URLs, the system generates an exception and an > error is presented to the client. However, as part of the process, the JSP > code populates the session object of the user with guest privileges. The > attacker can then access other pages in the systems which allow guest > operations, such as: > http://host:port/OA_HTML/AppsChangePassword.jsp > http://host:port/pls/[DADName]/OracleMyPage.home > http://host:port/pls/[DADName]/icx_define_pages.editpagelist > > 2. Authorization Bypass > ----------------------- > Various page management URLs in the Oracle eBusiness Suite rely on the > parameter named [p_page_id] to determine which page to manage. An attacker > can easily access the page of another user, by simply altering that > parameter value to a value representing the other's user page. No > authorization checks are performed to verify the authenticity of the user > attempting the access. > > The following proof-of-concept samples are provided (the [p_page_id] has to > be associated with a page of a valid user): > > http://host:port > /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id] > > http://host:port > /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME > &p_page_id=[page_id] > http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1 > > 3. Persistent Cross Site Scripting > ---------------------------------- > Various interfaces under the personal page management interface are > vulnerable to Persistent Cross Site Scripting: > http://host:port/pls/[DADName]/icx_define_pages.editpagelist > > http://host:port > /pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id] > > An attacker can inject malicious scripts into the various properties of a > new or existing page object (via submitted forms). > > http://host:port > /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME > &p_page_id=[page_id] > > http://host:port > /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE > > > The injected script will be executed when the user accesses the main URL: > http://host:port/pls/[DADName]/OracleMyPage.home > > It is important to note that our testing has indicated that different > versions have different mitigation levels of this vulnerability, requiring, > in some situations, utilizing XSS evasion techniques to overcome certain > input validation and sanitation mechanisms: > > * For earlier versions, injecting a simple <SCRIPT> suffices: > <SCRIPT>alert('XSS')<SCRIPT> > > * Some versions limit the permitted characters, and thus require the tester > to inset Java-script without utilizing tags, by injecting a script into the > text box as follows: > ");alert('XSS');// > > * Later versions appear to also enforce server-side length restrictions on > the vulnerable parameters. As a result, multiple separate injections are > required to achieve script execution, such as: > ");/* > */alert/* > */(/* > */'XSS'/* > */);// > > =========== > IV. Exploit > =========== > The exploit is performed by combining the three vulnerabilities, as > described in the following scenario: > > A. Initially, an attacker gains guest access to the system, by first > accessing: > http://host:port/OA_HTML/OA.jsp > > While an error is generated at this step, the attacker can proceed now to > the "My Homepage" page, which will now allow guest access: > http://host:port/pls/[DADName]/OracleMyPage.home > > B. The attacker now goes to edit his personal homepage, by accessing the > "Edit Page List" URL: > http://host:port/pls/[DADName]/icx_define_pages.editpagelist > > The attacker then selects his homepage, and clicks Rename (opening the > following URL): > > http://host:port > /pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME > &p_page_id=[page_id] > > C. The attacker now changes the [p_page_id] to the [p_page_id] of the > victim's page (as this is an incremental ID, simple trial and error could > be > used until the administrator's user page is identified). > > D. The attacker then uses the Rename Form to change the name of the page > from its original name to an embedded script: > > ");alert('XSS');// > > This script can now be replaced with the relevant payload, for instance, a > script that steals the session ID and sends it to the attacker. > > =================== > V. Affected Systems > =================== > This vulnerability was tested and identified in Oracle eBusiness Suite > versions 10 and 11. > > ============================== > VI. Vendor's Response/Solution > ============================== > Oracle's security alerts group has been notified of this vulnerability in > early November. > According to Oracle, the first issue is not a vulnerability - guest access > is permitted by design. The other two have been acknowledged by Oracle, and > have been fixed in the Jan-2009 CPU: > > > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj > an2009.html<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj%0Aan2009.html> > > It is important to note that the default fix for this vulnerability is a > script removing this interface (which is now replaced with a new OA > Framework). Customers unwilling or unable to switch to the new interface, > should apply patch 7567354 which, according to Oracle, fixes these > vulnerabilities on the obsolete packages (Hacktics has not performed tests > to verify this patch). > > =========== > VII. Credit > =========== > These vulnerabilities were discovered by: > Shay Chen, Technical Leader, Security Services, Hacktics. > Additional Contribution: > Gil Cohen, Application Security Consultant, Hacktics. > Oren Hafif, Application Security Consultant, Hacktics. > > > --- > Ofer Maor > CTO, Hacktics > Chairman, OWASP Israel > > Web: www.hacktics.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Best wishes, Freddie Vicious http://twitter.com/viciousf
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/