Document Title:
===============
Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability


References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1361

Oracle Security ID: S0540289
Tracking ID: S0540289
Reporter ID: #1 2015Q1



Release Date:
=============
2015-05-06


Vulnerability Laboratory ID (VL-ID):
====================================
1361


Common Vulnerability Scoring System:
====================================
3.8


Product & Service Introduction:
===============================
Oracle Business Intelligence Mobile HD brings new capabilities that allows users to make the most of their analytics information and 
leverage their existing investment in BI. Oracle Business Intelligence Mobile for Apple iPad is a mobile analytics app that allows you 
to view, analyze and act on Oracle Business Intelligence 11g content. Using Oracle Business Intelligence Mobile, you can view, analyze 
and act on all your analyses, dashboards, scorecards, reports, alerts and notifications on the go.

Oracle Business Intelligence Mobile allows you to drill down reports, apply prompts to filter your data, view interactive formats on 
geo-spatial visualizations, view and interact with Dashboards, KPIs and Scorecards. You can save your analyses and Dashboards for offline 
viewing, and refresh them when online again; thus providing always-available access to the data you need. This app is compatible with 
Oracle Business Intelligence 11g, version 11.1.1.6.2BP1 and above.

(Copy of the Vendor Homepage: http://www.oracle.com/technetwork/middleware/bi-foundation/bi-mobile-hd-1983913.html )
(Copy of the APP Homepage: https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business 
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement Program)
2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement Program)
2015-04-15: Vendor Fix/Patch (Oracle Developer Team)
2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin Acknowledgement)
2015-05-06: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Oracle
Product: Business Intelligence Mobile HD 11.1.1.7.0.2420


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business 
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.

The vulnerability is located in the input field of the dasboard file export name value of the local save (lokal speichern) function.
After the injection of a system specific command to the input field of the dasboard name the attacker is able to use the email function.
By clicking the email button the script code gets wrong encoded even if the attachment function is activated for pdf only. The wrong 
encoded input of the lokal save in the mimeAttachmentHeaderName (mimeAttachmentHeader) allows a local attacker to inject persistent 
system specific codes to compromise the integrity of the oracle ib email function. 

In case of the scenario the issue get first correct encoded on input and the reverse encoded inside allows to manipulate the mail context.
Regular the function is in use to get the status notification mail with attached pdf or html file. For the tesings the pdf value was 
activated and without html.

The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common 
vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privilege web application user 
account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent 
external redirects, persistent load of malicous script codes or persistent web module context manipulation.

Vulnerable Module(s):
				[+] Lokal speichern - Local save

Vulnerable Parameter(s):
				[+] mimeAttachmentHeaderName (mimeAttachmentHeader)

Affected Service(s):
				[+] Email - Local Dasboard File


Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by local privilege application user accounts with low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...
1. Install the oracle business intelligence mobile hd ios app to your apple device (https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015)
2. Register to your server service to get access to the client functions
2. Click the dashboard button to access
3. Now, we push top right in the navigation the local save (lokal speichern) button
4. Inject system specific payload with script code to the lokal save dashboard filename input field
5. Switch back to the app index and open the saved dashboard that as been saved locally with the payload (mimeAttachmentHeaderName)
6. Push in the top right navigation the email button
7. The mail client opens with the wrong encoded payload inside of the mail with the template of the dashboard
8. Successful reproduce of the security vulnerability!

PoC: Email - Local Dasboard File
<meta http-equiv="content-type" content="text/html; ">
<div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br>
<fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT CODE!]>.html</legend></fieldset><br>


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and filter validation of the local dashboard file save module.
Encode the input fields and parse the ouput next to reverse converting the context of the application through the mail function.
The issue is not located in the apple device configuration because of the validation of the mimeAttachmentHeaderName in connection with the email function is broken.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the oracle mobile application is estimated as medium. (CVSS 3.8)



Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt