Skip to navigation Skip to main content Skip to footer

Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges

05 November 2015

By NCC Group Publication Archive

Research Cyber Security Technical advisories

Vulnerability Summary

Title:                       Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges

Release Date:          21 January 2015

Reference:               NCC00774

Discoverer:              Edd Torkington

Vendor:                   Oracle

Vendor Reference:    S0524388

Systems Affected:     11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3

CVE Reference:         CVE-2014-6583

Risk:                        Critical

Status :                    Fixed

 

Resolution Timeline

Discovered:             15 December 2014

Reported:               15 December 2014

Released:                16 December 2014

Fixed:                     20 January 2015

Published:               21 January 2015

Vulnerability Description

“Oracle E-Business Suite is the most comprehensive suite of integrated, global business applications that enable organizations to make better decisions, reduce costs, and increase performance. With hundreds of cross-industry capabilities spanning enterprise resource planning, customer relationship management, and supply chain planning, Oracle E-Business Suite applications help customers manage the complexities of global business environments no matter if the organization is small, medium, or large in size. As part of Oracle’s Applications Unlimited strategy, Oracle E-Business Suite applications will continue to be enhanced, thus protecting and extending the value of your software investment”

Oracle E-Business Suite was found to be vulnerable to SQL injection in two pages. Exploitation of the vulnerabilities does not require authentication and can be used to gain APPS (database administrator) privileges.

Technical Details

Accessing the vulnerable pages requires a valid session which can be obtained by visiting (but not logging into) the Oracle login page which can differ depending on the website configuration, for example:

http://hostname/OA_HTML/

Visiting this page supplies two cookies which can be used to access a further two pages which are vulnerable to UNION query-based SQL injection. Both pages take a ‘where’ parameter which is used to construct a dynamic SQL statement that is executed against the database. A lack of any validation allows for arbitrary SQL to be entered and the results to be displayed. Exploitation provides access as the APPS user with DBA privileges.

This advisory will be updated with more details in due course once our customers have had sufficient time to apply the patch.

Fix Information

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

NCC Group

Twitter:         @NCCGroupInfoSec

Open Source:  https://github.com/nccgroup

Blog:             /en/blog/cyber-security/

SlideShare:     http://www.slideshare.net/NCC_Group/

 

NCC Group Publication Archive

NCC Group Publication Archive