Oracle Business Intelligence Mobile HD 11.x Script Insertion

Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2015-05-07T00:00:00


                                            `Document Title:  
Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability  
References (Source):  
Oracle Security ID: S0540289  
Tracking ID: S0540289  
Reporter ID: #1 2015Q1  
Release Date:  
Vulnerability Laboratory ID (VL-ID):  
Common Vulnerability Scoring System:  
Product & Service Introduction:  
Oracle Business Intelligence Mobile HD brings new capabilities that allows users to make the most of their analytics information and   
leverage their existing investment in BI. Oracle Business Intelligence Mobile for Apple iPad is a mobile analytics app that allows you   
to view, analyze and act on Oracle Business Intelligence 11g content. Using Oracle Business Intelligence Mobile, you can view, analyze   
and act on all your analyses, dashboards, scorecards, reports, alerts and notifications on the go.  
Oracle Business Intelligence Mobile allows you to drill down reports, apply prompts to filter your data, view interactive formats on   
geo-spatial visualizations, view and interact with Dashboards, KPIs and Scorecards. You can save your analyses and Dashboards for offline   
viewing, and refresh them when online again; thus providing always-available access to the data you need. This app is compatible with   
Oracle Business Intelligence 11g, version and above.  
(Copy of the Vendor Homepage: )  
(Copy of the APP Homepage: )  
Abstract Advisory Information:  
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business   
Intelligence Mobile HD v11. iOS web-application.  
Vulnerability Disclosure Timeline:  
2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)  
2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement Program)  
2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement Program)  
2015-04-15: Vendor Fix/Patch (Oracle Developer Team)  
2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin Acknowledgement)  
2015-05-06: Public Disclosure (Vulnerability Laboratory)  
Discovery Status:  
Affected Product(s):  
Product: Business Intelligence Mobile HD  
Exploitation Technique:  
Severity Level:  
Technical Details & Description:  
The Vulnerability Laboratory Research Team discovered an application-side validation web vulnerability in the official Oracle Business   
Intelligence Mobile HD v11. iOS web-application.  
The vulnerability is located in the input field of the dasboard file export name value of the local save (lokal speichern) function.  
After the injection of a system specific command to the input field of the dasboard name the attacker is able to use the email function.  
By clicking the email button the script code gets wrong encoded even if the attachment function is activated for pdf only. The wrong   
encoded input of the lokal save in the mimeAttachmentHeaderName (mimeAttachmentHeader) allows a local attacker to inject persistent   
system specific codes to compromise the integrity of the oracle ib email function.   
In case of the scenario the issue get first correct encoded on input and the reverse encoded inside allows to manipulate the mail context.  
Regular the function is in use to get the status notification mail with attached pdf or html file. For the tesings the pdf value was   
activated and without html.  
The security risk of the filter bypass and application-side input validation web vulnerability is estimated as medium with a cvss (common   
vulnerability scoring system) count of 3.8. Exploitation of the persistent web vulnerability requires a low privilege web application user   
account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent   
external redirects, persistent load of malicous script codes or persistent web module context manipulation.  
Vulnerable Module(s):  
[+] Lokal speichern - Local save  
Vulnerable Parameter(s):  
[+] mimeAttachmentHeaderName (mimeAttachmentHeader)  
Affected Service(s):  
[+] Email - Local Dasboard File  
Proof of Concept (PoC):  
The application-side vulnerability can be exploited by local privilege application user accounts with low user interaction.  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
Manual reproduce of the vulnerability ...  
1. Install the oracle business intelligence mobile hd ios app to your apple device (  
2. Register to your server service to get access to the client functions  
2. Click the dashboard button to access  
3. Now, we push top right in the navigation the local save (lokal speichern) button  
4. Inject system specific payload with script code to the lokal save dashboard filename input field  
5. Switch back to the app index and open the saved dashboard that as been saved locally with the payload (mimeAttachmentHeaderName)  
6. Push in the top right navigation the email button  
7. The mail client opens with the wrong encoded payload inside of the mail with the template of the dashboard  
8. Successful reproduce of the security vulnerability!  
PoC: Email - Local Dasboard File  
<meta http-equiv="content-type" content="text/html; ">  
<div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br>  
<fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT CODE!]>.html</legend></fieldset><br>  
Solution - Fix & Patch:  
The vulnerability can be patched by a secure restriction and filter validation of the local dashboard file save module.  
Encode the input fields and parse the ouput next to reverse converting the context of the application through the mail function.  
The issue is not located in the apple device configuration because of the validation of the mimeAttachmentHeaderName in connection with the email function is broken.  
Security Risk:  
The security risk of the application-side input validation web vulnerability in the oracle mobile application is estimated as medium. (CVSS 3.8)  
Credits & Authors:  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ( []  
Disclaimer & Information:  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
Domains: - -  
Contact: - -  
Section: - -  
Social:!/vuln_lab - -  
Feeds: - -  
Programs: - -  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
( or to get a permission.  
Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™