The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements
Present
AT
The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System
High
VC
There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System
High
VI
There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System
High
VA
There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact
Negligible
SC
There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System
None
SI
There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System
None
SA
There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.
Oracle Business Intelligence Mobile HD 11.x Script InsertionDocument Title:
===============
Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability
References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1361
Oracle Security ID: S0540289
Tracking ID: S0540289
Reporter ID: #1 2015Q1
Release Date:
=============
2015-05-06
Vulnerability Laboratory ID (VL-ID):
====================================
1361
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
Oracle Business Intelligence Mobile HD brings new capabilities that allows users to make the most of their analytics information and
leverage their existing investment in BI. Oracle Business Intelligence Mobile for Apple iPad is a mobile analytics app that allows you
to view, analyze and act on Oracle Business Intelligence 11g content. Using Oracle Business Intelligence Mobile, you can view, analyze
and act on all your analyses, dashboards, scorecards, reports, alerts and notifications on the go.
Oracle Business Intelligence Mobile allows you to drill down reports, apply prompts to filter your data, view interactive formats on
geo-spatial visualizations, view and interact with Dashboards, KPIs and Scorecards. You can save your analyses and Dashboards for offline
viewing, and refresh them when online again; thus providing always-available access to the data you need. This app is compatible with
Oracle Business Intelligence 11g, version 11.1.1.6.2BP1 and above.
(Copy of the Vendor Homepage: http://www.oracle.com/technetwork/middleware/bi-foundation/bi-mobile-hd-1983913.html )
(Copy of the APP Homepage: https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement Program)
2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement Program)
2015-04-15: Vendor Fix/Patch (Oracle Developer Team)
2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin Acknowledgement)
2015-05-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Oracle
Product: Business Intelligence Mobile HD 11.1.1.7.0.2420
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.
The vulnerability is located in the input field of the dasboard file export name value of the local save (lokal speichern) function.
After the injection of a system specific command to the input field of the dasboard name the attacker is able to use the email function.
By clicking the email button the script code gets wrong encoded even if the attachment function is activated for pdf only. The wrong
encoded input of the lokal save in the mimeAttachmentHeaderName (mimeAttachmentHeader) allows a local attacker to inject persistent
system specific codes to compromise the integrity of the oracle ib email function.
In case of the scenario the issue get first correct encoded on input and the reverse encoded inside allows to manipulate the mail context.
Regular the function is in use to get the status notification mail with attached pdf or html file. For the tesings the pdf value was
activated and without html.
The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common
vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privilege web application user
account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent
external redirects, persistent load of malicous script codes or persistent web module context manipulation.
Vulnerable Module(s):
[+] Lokal speichern - Local save
Vulnerable Parameter(s):
[+] mimeAttachmentHeaderName (mimeAttachmentHeader)
Affected Service(s):
[+] Email - Local Dasboard File
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by local privilege application user accounts with low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual reproduce of the vulnerability ...
1. Install the oracle business intelligence mobile hd ios app to your apple device (https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015)
2. Register to your server service to get access to the client functions
2. Click the dashboard button to access
3. Now, we push top right in the navigation the local save (lokal speichern) button
4. Inject system specific payload with script code to the lokal save dashboard filename input field
5. Switch back to the app index and open the saved dashboard that as been saved locally with the payload (mimeAttachmentHeaderName)
6. Push in the top right navigation the email button
7. The mail client opens with the wrong encoded payload inside of the mail with the template of the dashboard
8. Successful reproduce of the security vulnerability!
PoC: Email - Local Dasboard File
<meta http-equiv="content-type" content="text/html; ">
<div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br>
<fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT CODE!]>.html</legend></fieldset><br>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and filter validation of the local dashboard file save module.
Encode the input fields and parse the ouput next to reverse converting the context of the application through the mail function.
The issue is not located in the apple device configuration because of the validation of the mimeAttachmentHeaderName in connection with the email function is broken.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the oracle mobile application is estimated as medium. (CVSS 3.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-db.com- vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php- vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
([email protected] or [email protected]) to get a permission.
Copyright 2015 | Vulnerability Laboratory - Evolution Security GmbH
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum