[ERPSCAN-17-023] CRLF Injection – PeopleSoft IMServlet

Application: Oracle PeopleSoft
Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2
Vendor: Oracle
Bugs: SSRF
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Authors: Dmitry Yudin (ERPScan) aka @ret5et, Roman Shalymov (ERPScan)

VULNERABILITY INFORMATION

Class: CRLF Injection
Impact: Response Splitting, Cross-Site Scripting
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3547

CVSS Information

CVSS Base Score v3: 7.4 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed(C)
C: Impact to Confidentiality None (N)
I: Impact to Integrity High (H)
A: Impact to AvailabilityNone (N)

VULNERABILITY DESCRIPTION

An attacker can perform a great variety of attacks that include cross-site scripting, cross-user defacement, positioning of client’s web-cache, hijacking of web pages, defacement, etc.

VULNERABLE PACKAGES

ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

Run nc:

Run a Python PoC file:

Response in netcat: