[ERPSCAN-17-022] SSRF in PeopleSoft IMServlet

Application: Oracle PeopleSoft
Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2
Vendor: Oracle
Bugs: SSRF
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Roman Shalymov (ERPScan)

VULNERABILITY INFORMATION

Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3546

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

An attacker can force a vulnerable server to trigger malicious requests to third-party servers and/or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as cross-site port attack, service enumeration, and various other attacks.

VULNERABLE PACKAGES

ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

In browser

Response in netcat