Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Vulnerability Summary
Title: Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Release Date: 21 January 2015
Reference: NCC00774
Discoverer: Edd Torkington
Vendor: Oracle
Vendor Reference: S0524388
Systems Affected: 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3
CVE Reference: CVE-2014-6583
Risk: Critical
Status : Fixed
Resolution Timeline
Discovered: 15 December 2014
Reported: 15 December 2014
Released: 16 December 2014
Fixed: 20 January 2015
Published: 21 January 2015
Vulnerability Description
“Oracle E-Business Suite is the most comprehensive suite of integrated, global business applications that enable organizations to make better decisions, reduce costs, and increase performance. With hundreds of cross-industry capabilities spanning enterprise resource planning, customer relationship management, and supply chain planning, Oracle E-Business Suite applications help customers manage the complexities of global business environments no matter if the organization is small, medium, or large in size. As part of Oracle’s Applications Unlimited strategy, Oracle E-Business Suite applications will continue to be enhanced, thus protecting and extending the value of your software investment”
Oracle E-Business Suite was found to be vulnerable to SQL injection in two pages. Exploitation of the vulnerabilities does not require authentication and can be used to gain APPS (database administrator) privileges.
Technical Details
Accessing the vulnerable pages requires a valid session which can be obtained by visiting (but not logging into) the Oracle login page which can differ depending on the website configuration, for example:
Visiting this page supplies two cookies which can be used to access a further two pages which are vulnerable to UNION query-based SQL injection. Both pages take a ‘where’ parameter which is used to construct a dynamic SQL statement that is executed against the database. A lack of any validation allows for arbitrary SQL to be entered and the results to be displayed. Exploitation provides access as the APPS user with DBA privileges.
This advisory will be updated with more details in due course once our customers have had sufficient time to apply the patch.
Fix Information
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
NCC Group
Twitter: @NCCGroupInfoSec
Open Source: https://github.com/nccgroup
Blog: /en/blog/cyber-security/
SlideShare: http://www.slideshare.net/NCC_Group/