[ERPSCAN-17-025] AUTH BYPASS For File Downloading – Oracle E-Business Suite

Application: Oracle E-Business Suite
Versions Affected:Oracle E-Business Suite 12.2.3
Vendor: Oracle
Bugs: AUTH BYPASS
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Alexey Tyurin (ERPScan), Ivan Chalykin (ERPScan)

VULNERABILITY INFORMATION

Class: AUTH BYPASS
Impact: File Downloading
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3556

CVSS Information

CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

An attacker can bypass authorization checks and download files stored in E-Business Suite.

VULNERABLE PACKAGES

Oracle E-Business Suite 12.2.3

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

Vulnerable URL:

http://victim_ebs_server/OA_HTML/fndgfm.jsp?mode=download_blob&fid=1&mac=t

This JSP allows downloading files from the system without authorization checking. For a successful attack, an attacker needs to enumerate the fid parameter.