Application Security Resources

Sub Text of Application Security Resources

Multiple Vulnerabilities Allow Remote Takeover of Oracle eBusiness Suite Administrative Interface

December 8, 2009

Tiny Url for this post: http://tinyurl.com/om28522

Hacktics Research
By Shay Chen December 14th, 2009
BID: 37305

Overview

During a penetration test performed by Hacktics’ experts, certain vulnerabilities were identified in the Oracle eBusiness Suite deployment. Further research has identified several vulnerabilities which, combined, can allow an unauthenticated remote user to take over and gain full control over the administrative web user account of the Oracle eBusiness Suite.

Following is a video demonstrating a full step-by-step reproduction of this attack:

The Finding

Three separate issues have been identified:

1. Unauthenticated Guest Access

It is possible for unauthenticated users to access certain pages with guest privileges (according to Oracle’s security representative this is a standard functionality of this component). While some pages may not be directly accessible as a guest in this manner, this can be bypassed by taking advantage of the session management behavior in the application.

2. Authorization Bypass

Malicious users can access and manage content of other users, relying on the lack of access control in the page management interface. Attackers can use parameter tampering techniques to directly access the resource identifiers of pages owned by other users, and delete or modify their content.

3. Persistent Cross Site Scripting

Certain web interfaces in the user’s menu management interface enable attackers to inject malicious scripts into user-specific content, causing the scripts to be executed in the browser of any user viewing the infected content (Persistent Cross Site Scripting).

By combining all three vulnerabilities, an unauthenticated attacker can initially gain guest access, leverage it to access pages belonging to the administrative user, and inject malicious Java-script into their content, in order to steal session identifiers, which allow taking over the administrative user account.

Details

1. Unauthenticated Guest Access

By accessing certain internal pages directly, attackers can cause the application to grant them guest access and load certain objects into the user’s server side session. At this point, the attacker is able to access other internal components in the application as the guest user, including management services, configuration interfaces and information disclosing components, etc.

Unauthenticated attackers can bypass the login phase by directly accessing certain internal URLs such as (partial list):
http://host:port/OA_HTML/OA.jsp
http://host:port/OA_HTML/RF.jsp

When accessing one of these URLs, the system generates an exception and an error is presented to the client. However, as part of the process, the JSP code populates the session object of the user with guest privileges. The attacker can then access other pages in the systems which allow guest operations, such as:

http://host:port/OA_HTML/AppsChangePassword.jsp
http://host:port/pls/[DADName]/OracleMyPage.home
http://host:port/pls/[DADName]/icx_define_pages.editpagelist

2. Authorization Bypass

Various page management URLs in the Oracle eBusiness Suite rely on the parameter named p_page_id to determine which page to manage. An attacker can easily access the page of another user, by simply altering that parameter value to a value representing the other’s user page. No authorization checks are performed to verify the authenticity of the user attempting the access.

The following proof-of-concept samples are provided (the p_page_id has to be associated with a page of a valid user):
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1

3. Persistent Cross Site Scripting

Various interfaces under the personal page management interface are vulnerable to Persistent Cross Site Scripting:
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]

An attacker can inject malicious scripts into the various properties of a new or existing page object (via submitted forms).
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE

The injected script will be executed when the user accesses the main URL: http://host:port/pls/[DADName]/OracleMyPage.home
It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:

For earlier versions, injecting a simple

Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:
“);alert(‘XSS’);//

Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:
“);/*
*/alert/*
*/(/*
*/’XSS’/*
*/);//

Exploit

The exploit is performed by combining the three vulnerabilities, as described in the following scenario:

Initially, an attacker gains guest access to the system, by first accessing: http://host:port/OA_HTML/OA.jsp

While an error is generated at this step, the attacker can proceed now to the “My Homepage” page, which will now allow guest access: http://host:port/pls/[DADName]/OracleMyPage.home

The attacker now goes to edit his personal homepage, by accessing the “Edit Page List” URL: http://host:port/pls/[DADName]/icx_define_pages.editpagelist

The attacker then selects his homepage, and clicks Rename (opening the following URL): http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]

The attacker now changes the page_id to the page_id of the victim’s page (as this is an incremental ID, simple trial and error could be used until the administrator’s user page is identified).

The attacker then uses the Rename Form to change the name of the page from its original name to an embedded script: “);alert(‘XSS’);//

This script can now be replaced with the relevant payload, for instance, a script that steals the session ID and sends it to the attacker.

When the victim logs in to the portal, the script will execute:

Affected Systems

This vulnerability was tested and identified in Oracle eBusiness Suite versions 10 and 11.

Vendor’s Response/Solution

Oracle’s security alerts group has been notified of this vulnerability in early November.

According to Oracle, the first issue is not a vulnerability, guest access is permitted by design. The other two have been acknowledged by Oracle, and have been fixed in the Jan-2009 CPU:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

It is important to note that the default fix for this vulnerability is a script removing this interface (which is now replaced with a new OA Framework). Customers unwilling or unable to switch to the new interface, should apply patch 7567354 which, according to Oracle, fixes these vulnerabilities on the obsolete packages (Hacktics has not performed tests to verify this patch).

Credit

These vulnerabilities were discovered by:
Shay Chen, Technical Leader, Security Services, Hacktics.

Additional Contribution:
Gil Cohen, Application Security Consultant, Hacktics.
Oren Hafif, Application Security Consultant, Hacktics

Copyright Hacktics 2009 All right reserved

This post is also available in: Anglais

Learn more about Seeker

More Avis de sécurité