Oracle BI Publisher HTTP Response Splitting

`Digital Security Research Group [DSecRG] Advisory #DSECRG-09-029  
  
  
Application: Oracle Business Intelligence Enterprise Edition (10.1.3.4.0)   
Versions Affected: Oracle Business Intelligence Enterprise Edition (10.1.3.4.0)   
Vendor URL: http://oracle.com  
Bugs: Response Splitting/XSS/phishing credentials  
Exploits: YES  
Reported: 03.03.2009  
Vendor response: 04.03.2009   
Last response: 05.03.2009  
Tracking number: 14088913   
Date of Public Advisory: 25.10.2010  
CVE: CVE-2010-2413  
Authors: Alexandr Polyakov  
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)  
  
  
  
  
  
  
  
  
Description  
***********  
  
Response Splitting Vulnerability found in Oracle Business Intelligence (BI Publisher Enterprise)  
This vulnerability may be used as XSS or for Phishing user (PHiXSS) credentials using fake response from server  
  
  
Details  
*******  
  
Response Splitting Vulnerability found in script /xmlpserver vulnerable parameter "_xuil"   
  
If we send request whith CRLF sumbols in "_xuil" parameter we can generate own server request.  
  
  
it is possible for an attacker to terminate the "current" response (by injecting the necessary HTTP response headers),  
and then to add his/her own additional complete HTTP response.  
The attacker can then orchestrate the traffic in such a way that when an additional request is sent it appears to generate the additional response.  
When an attacker succeeds in sending a crafted request, and it is responded with the crafted response, there are two (perhaps more)  
ways in which this condition can be exploited:  
  
1. Cross Site Scripting: basically, the crafted (second response) would contain a malicious client side (e.g. Javascript) code, which can steal the client cookies and credentials. The attacker would send the client (victim) a page that will cause two HTTP requests to be sent to the vulnerable site. The first request "attacks" the web-site and causes the split HTTP response to be sent (that is, two HTTP responses will be sent back by the web server). Then, when the second HTTP request is sent by the browser, it (e.g. Internet Explorer) assumes the second HTTP response is the actual server response for the (second) request, thus it will render the content of the second response, and execute the malicious script.  
  
  
2. So when user click on link we can give him fake login page instead of XSS and steal his credentials.  
  
  
  
Example  
*******  
  
request:  
  
GET /xmlpserver/?_xuil=aaaaaaaaaa%0d%0a%0d%0a%0d%0a%0d%0a<html><script>alert('XSS')</script> HTTP/1.0  
  
  
Response:  
  
----------------------------  
HTTP/1.1 200 OK  
Date: Tue, 03 Mar 2009 17:51:21 GMT  
Server: Oracle Containers for J2EE  
Content-Length: 7466  
Set-Cookie: ORA_XDO_UI=aaaaaaaaaa  
  
  
  
<html><script>alert('XSS')</script>; Comment=Oracle XML Publisher Cookie; Domain=.0.0.0; Expires=Wed, 03-Mar-2010 17:51:22 GMT; Path=/xmlpserver  
Set-Cookie: JSESSIONID=ac10006525e85e9ceb6e5e4846d6bcd0e9ceb6a0b2a3; path=/xmlpserver  
Cache-Control: private  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
<html LANG="en-US" dir="ltr">.......................  
---------------------------------------  
  
So when user click on link we can execute XSS or give him fake login page and steal his credentials.  
  
  
Fix Information  
***************  
  
  
Information was published in CPU October 2010.  
All customers can download CPU patches following instructions from:   
  
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html  
  
  
Credits  
*******  
  
Oracle gives thanks to Alexander Polyakov from Digital Security Company in CPU October 2010.  
  
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html  
  
Current advisory:  
  
http://dsecrg.com/pages/vul/show.php?id=129  
  
  
  
About  
*****  
  
Digital Security is one of the leading IT security companies in CEMEA,  
providing information security consulting, audit and penetration  
testing services, ERP and SAP security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA DSS standards.  
Digital Security Research Group focuses on enterprise application (ERP) and database  
security problems with vulnerability reports, advisories and whitepapers  
posted regularly on our website.  
  
Contact: research [at] dsecrg [dot]com  
http://www.dsecrg.com  
http://www.erpscan.com  
  
  
  
  
  
  
  
  
  
  
  
Polyakov Alexandr. PCI QSA,PA-QSA  
CTO Digital Security  
Head of DSecRG  
______________________  
DIGITAL SECURITY  
phone: +7 812 703 1547  
+7 812 430 9130  
e-mail: [email protected]   
  
www.dsec.ru  
www.dsecrg.com www.dsecrg.ru  
www.erpscan.com www.erpscan.ru  
www.pcidssru.com www.pcidss.ru  
  
  
-----------------------------------  
This message and any attachment are confidential and may be privileged or otherwise protected   
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure   
is strictly prohibited. If you have received this message in error, please notify the sender immediately   
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence   
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding   
statements by e-mail unless otherwise agreed.   
-----------------------------------   
`