TUCoPS :: Oracle :: bu-1262.htm

Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover
Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover
Hacktics Advisory Dec09: Oracle eBusiness Suite - Multiple Vulnerabilities Allow Remote Takeover



Hacktics Research Group Security Advisory 
http://www.hacktics.com/#details=;view=Resources%7CAdvisory 
By Shay Chen, Hacktics. 
14-Dec-2009

==========I. Overview
==========During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in the Oracle eBusiness Suite deployment.
Further research has identified several vulnerabilities which, combined, can
allow an unauthenticated remote user to take over and gain full control over
the administrative web user account of the Oracle eBusiness Suite. 

A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in: 
http://www.hacktics.com/content/advisories/AdvORA20091214.html 

==============II. The Finding
==============Three separate issues have been identified:

1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
taking advantage of the session management behavior in the application. 

2. Authorization Bypass
-----------------------
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content. 

3. Persistent Cross Site Scripting
----------------------------------
Certain web interfaces in the user's menu management interface enable
attackers to inject malicious scripts into user-specific content, causing
the scripts to be executed in the browser of any user viewing the infected
content (Persistent Cross Site Scripting).

By combining all three vulnerabilities, an unauthenticated attacker can
initially gain guest access, leverage it to access pages belonging to the
administrative user, and inject malicious Java-script into their content, in
order to steal session identifiers, which allow taking over the
administrative user account.

===========III. Details
===========1. Unauthenticated Guest Access
--------------------------------
By accessing certain internal pages directly, attackers can cause the
application to grant them guest access and load certain objects into the
user's server side session. At this point, the attacker is able to access
other internal components in the application as the guest user, including
management services, configuration interfaces and information disclosing
components, etc. 

Unauthenticated attackers can bypass the login phase by directly accessing
certain internal URLs such as (partial list):
http://host:port/OA_HTML/OA.jsp 
http://host:port/OA_HTML/RF.jsp 

When accessing one of these URLs, the system generates an exception and an
error is presented to the client. However, as part of the process, the JSP
code populates the session object of the user with guest privileges. The
attacker can then access other pages in the systems which allow guest
operations, such as: 
http://host:port/OA_HTML/AppsChangePassword.jsp 
http://host:port/pls/[DADName]/OracleMyPage.home 
http://host:port/pls/[DADName]/icx_define_pages.editpagelist 

2. Authorization Bypass
-----------------------
Various page management URLs in the Oracle eBusiness Suite rely on the
parameter named [p_page_id] to determine which page to manage. An attacker
can easily access the page of another user, by simply altering that
parameter value to a value representing the other's user page. No
authorization checks are performed to verify the authenticity of the user
attempting the access. 

The following proof-of-concept samples are provided (the [p_page_id] has to
be associated with a page of a valid user):
 
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id] 
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME 
&p_page_id=[page_id]
   http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1

3. Persistent Cross Site Scripting
----------------------------------
Various interfaces under the personal page management interface are
vulnerable to Persistent Cross Site Scripting: 
http://host:port/pls/[DADName]/icx_define_pages.editpagelist 
 
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id] 

An attacker can inject malicious scripts into the various properties of a
new or existing page object (via submitted forms).
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME 
&p_page_id=[page_id]
 
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE 


The injected script will be executed when the user accesses the main URL:
http://host:port/pls/[DADName]/OracleMyPage.home 

It is important to note that our testing has indicated that different
versions have different mitigation levels of this vulnerability, requiring,
in some situations, utilizing XSS evasion techniques to overcome 
certain input validation and sanitation mechanisms: 

* For earlier versions, injecting a simple