[ERPSCAN-12-039] Oracle JVM gopher protocol – SSRF
Application: Oracle JVM
Versions Affected: Oracle JVM
Vendor URL: http://www.oracle.com
Bugs: Security Bypass, SSRF
Vendor response: 18.07.2012
Date of Public Advisory: 23.10.2012
Reference: Oracle CPU October 2012
Authors: Alexander Polyakov (ERPScan)
Oracle JVM gopher protocol support is vulnerable to XXE Tunneling and SSRF attacks.
Oracle JVM machine has support for gopher protocol in net.dll library.
This protocol can be used to send any application level packet to any system.
It can be exploited in multiple ways.
If there are 2 systems where one is secured by firewall (system B) and one is not (System A), but system A can make connections to system B, attackers can use vulnerabilities in system A to send packets to system B.
For example, if system A has XML interface with XXE vulnerability, it is possible to send packets to system B using XXE.
It is possible for attackers to send any packets to any port of any system including localhost.
The attack can be executed by using Gopher scheme. It is even possible, for example, to send exploit packets to Oracle listener if it listens to localhost.
It is possible for attackers to send any packets to any port of any system including localhost bypassing the firewall.