[ERPSCAN-16-006] Oracle E-Business Suite – XXE injection vulnerability

Application: Oracle E-Business Suite
Vendor: Oracle
Versions Affected: Oracle E-Business Suite 12.1.3, probably others
Bugs: XXE injection
Reported: 17.07.2015
Vendor response: 24.07.2015
Date of Public Advisory: 19.01.2016
Reference: Oracle CPU Jan 2016
Author: Nikita Kelesis, Ivan Chalykin, Alexey Tyurin

Class: XML External Entity [CWE-611]
Impact: information disclosure, DoS, SSRF, NTLM relay
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-0456
CVSS Information
CVSS Base Score: 5 / 10

AV: Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) Medium (M)
Au: Authentication (Level of authentication needed to exploit) None (N)
C: Impact to Confidentiality Partial (P)
I: Impact to Integrity Partial (P)
A: Impact to Availability Partial (P)

Business Risk
An attacker can read an arbitrary file on the server by sending a correct XML request with a crafted DTD to read the reply from the service.
An attacker can perform a DoS attack (for example, an XML Entity Expansion attack).
An SMB Relay attack is a type of Man-in-the-Middle attack where an attacker asks a victim to authenticate into a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways and gets access.

Oracle E-Business Suite 12.1.3 XML parser validates all incoming XML requests with a user-specified DTD.

Vulnerable packages
Oracle E-Business Suite 12.1.3
Other versions are probably affected too, but they were not checked.

Technical Description
Servlet can be accessed remotely without authentication
Servlet can be used to send XML messages which will be processed via XML parser
XML parser validates all incoming XML requests with user-specified DTD

An attacker sends an XML request with malformed entity and can:
1) read a file in an OS (depends on process permissions)
2) perform a DoS attack
3) make an SSRF (“tunnel” to local services, internal network)
4) For Windows OS: initiate SMB/HTTP request to a hacker host and steal NTLM hash or perform an SMB relay attack.

Vulnerable URL

To read a local file (universal way):
1) Run a web server with the file (evil.xml)that contains:

2) Open any port (8090, for example) and wait for the payload from a victim here
3) Send the request to the victim:

It’s possible to perform the attack without external (hacker’s) server, but it is necessary to make customization of the request for every servlet’s input points.

Install Oracle CPU Jan 2016