Oracle eBusiness Suite Cross Site Scripting / Bypass

`Hacktics Research Group Security Advisory   
http://www.hacktics.com/#details=;view=Resources%7CAdvisory  
By Shay Chen, Hacktics.   
14-Dec-2009  
  
===========  
I. Overview  
===========  
During a penetration test performed by Hacktics' experts, certain  
vulnerabilities were identified in the Oracle eBusiness Suite deployment.  
Further research has identified several vulnerabilities which, combined, can  
allow an unauthenticated remote user to take over and gain full control over  
the administrative web user account of the Oracle eBusiness Suite.   
  
A friendly formatted version of this advisory, including a video  
demonstrating step-by-step execution of the exploit, is available in:   
http://www.hacktics.com/content/advisories/AdvORA20091214.html  
  
===============  
II. The Finding  
===============  
Three separate issues have been identified:  
  
1. Unauthenticated Guest Access  
-------------------------------  
It is possible for unauthenticated users to access certain pages with guest  
privileges (according to Oracle's security representative - this is a  
standard functionality of this component). While some pages may not be  
directly accessible as a guest in this manner, this can be bypassed by  
taking advantage of the session management behavior in the application.   
  
2. Authorization Bypass  
-----------------------  
Malicious users can access and manage content of other users, relying on the  
lack of access control in the page management interface. Attackers can use  
parameter tampering techniques to directly access the resource identifiers  
of pages owned by other users, and delete or modify their content.   
  
3. Persistent Cross Site Scripting  
----------------------------------  
Certain web interfaces in the user's menu management interface enable  
attackers to inject malicious scripts into user-specific content, causing  
the scripts to be executed in the browser of any user viewing the infected  
content (Persistent Cross Site Scripting).  
  
By combining all three vulnerabilities, an unauthenticated attacker can  
initially gain guest access, leverage it to access pages belonging to the  
administrative user, and inject malicious Java-script into their content, in  
order to steal session identifiers, which allow taking over the  
administrative user account.  
  
============  
III. Details  
============  
1. Unauthenticated Guest Access  
--------------------------------  
By accessing certain internal pages directly, attackers can cause the  
application to grant them guest access and load certain objects into the  
user's server side session. At this point, the attacker is able to access  
other internal components in the application as the guest user, including  
management services, configuration interfaces and information disclosing  
components, etc.   
  
Unauthenticated attackers can bypass the login phase by directly accessing  
certain internal URLs such as (partial list):  
http://host:port/OA_HTML/OA.jsp  
http://host:port/OA_HTML/RF.jsp  
  
When accessing one of these URLs, the system generates an exception and an  
error is presented to the client. However, as part of the process, the JSP  
code populates the session object of the user with guest privileges. The  
attacker can then access other pages in the systems which allow guest  
operations, such as:   
http://host:port/OA_HTML/AppsChangePassword.jsp  
http://host:port/pls/[DADName]/OracleMyPage.home  
http://host:port/pls/[DADName]/icx_define_pages.editpagelist  
  
2. Authorization Bypass  
-----------------------  
Various page management URLs in the Oracle eBusiness Suite rely on the  
parameter named [p_page_id] to determine which page to manage. An attacker  
can easily access the page of another user, by simply altering that  
parameter value to a value representing the other's user page. No  
authorization checks are performed to verify the authenticity of the user  
attempting the access.   
  
The following proof-of-concept samples are provided (the [p_page_id] has to  
be associated with a page of a valid user):  
  
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]  
  
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME  
&p_page_id=[page_id]  
http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1  
  
3. Persistent Cross Site Scripting  
----------------------------------  
Various interfaces under the personal page management interface are  
vulnerable to Persistent Cross Site Scripting:   
http://host:port/pls/[DADName]/icx_define_pages.editpagelist   
  
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]  
  
An attacker can inject malicious scripts into the various properties of a  
new or existing page object (via submitted forms).  
  
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME  
&p_page_id=[page_id]  
  
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE  
  
  
The injected script will be executed when the user accesses the main URL:  
http://host:port/pls/[DADName]/OracleMyPage.home   
  
It is important to note that our testing has indicated that different  
versions have different mitigation levels of this vulnerability, requiring,  
in some situations, utilizing XSS evasion techniques to overcome   
certain input validation and sanitation mechanisms:   
  
* For earlier versions, injecting a simple <SCRIPT> suffices:  
<SCRIPT>alert('XSS')<SCRIPT>  
  
* Some versions limit the permitted characters, and thus require the tester  
to inset Java-script without utilizing tags, by injecting a script into the  
text box as follows:  
");alert('XSS');//  
  
* Later versions appear to also enforce server-side length restrictions on  
the vulnerable parameters. As a result, multiple separate injections are  
required to achieve script execution, such as:  
");/*  
*/alert/*  
*/(/*  
*/'XSS'/*  
*/);//  
  
===========  
IV. Exploit  
===========  
The exploit is performed by combining the three vulnerabilities, as  
described in the following scenario:  
  
A. Initially, an attacker gains guest access to the system, by first  
accessing:  
http://host:port/OA_HTML/OA.jsp  
  
While an error is generated at this step, the attacker can proceed now to  
the "My Homepage" page, which will now allow guest access:  
http://host:port/pls/[DADName]/OracleMyPage.home  
  
B. The attacker now goes to edit his personal homepage, by accessing the  
"Edit Page List" URL:  
http://host:port/pls/[DADName]/icx_define_pages.editpagelist   
  
The attacker then selects his homepage, and clicks Rename (opening the  
following URL):  
  
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME  
&p_page_id=[page_id]  
  
C. The attacker now changes the [p_page_id] to the [p_page_id] of the  
victim's page (as this is an incremental ID, simple trial and error could be  
used until the administrator's user page is identified).  
  
D. The attacker then uses the Rename Form to change the name of the page  
from its original name to an embedded script:   
  
");alert('XSS');//  
  
This script can now be replaced with the relevant payload, for instance, a  
script that steals the session ID and sends it to the attacker.  
  
===================  
V. Affected Systems  
===================  
This vulnerability was tested and identified in Oracle eBusiness Suite  
versions 10 and 11.   
  
==============================  
VI. Vendor's Response/Solution  
==============================  
Oracle's security alerts group has been notified of this vulnerability in  
early November.   
According to Oracle, the first issue is not a vulnerability - guest access  
is permitted by design. The other two have been acknowledged by Oracle, and  
have been fixed in the Jan-2009 CPU:  
  
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj  
an2009.html  
  
It is important to note that the default fix for this vulnerability is a  
script removing this interface (which is now replaced with a new OA  
Framework). Customers unwilling or unable to switch to the new interface,  
should apply patch 7567354 which, according to Oracle, fixes these  
vulnerabilities on the obsolete packages (Hacktics has not performed tests  
to verify this patch).  
  
===========  
VII. Credit  
===========  
These vulnerabilities were discovered by:  
Shay Chen, Technical Leader, Security Services, Hacktics.   
Additional Contribution:  
Gil Cohen, Application Security Consultant, Hacktics.  
Oren Hafif, Application Security Consultant, Hacktics.  
  
  
---  
Ofer Maor  
CTO, Hacktics  
Chairman, OWASP Israel  
  
Web: www.hacktics.com  
  
`