[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 06 May 2015 14:25:11 +0200
Document Title:
===============
Oracle Business Intelligence Mobile HD v11.x iOS - Persistent UI Vulnerability
References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1361
Oracle Security ID: S0540289
Tracking ID: S0540289
Reporter ID: #1 2015Q1
Release Date:
=============
2015-05-06
Vulnerability Laboratory ID (VL-ID):
====================================
1361
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
Oracle Business Intelligence Mobile HD brings new capabilities that allows
users to make the most of their analytics information and
leverage their existing investment in BI. Oracle Business Intelligence Mobile
for Apple iPad is a mobile analytics app that allows you
to view, analyze and act on Oracle Business Intelligence 11g content. Using
Oracle Business Intelligence Mobile, you can view, analyze
and act on all your analyses, dashboards, scorecards, reports, alerts and
notifications on the go.
Oracle Business Intelligence Mobile allows you to drill down reports, apply
prompts to filter your data, view interactive formats on
geo-spatial visualizations, view and interact with Dashboards, KPIs and
Scorecards. You can save your analyses and Dashboards for offline
viewing, and refresh them when online again; thus providing always-available
access to the data you need. This app is compatible with
Oracle Business Intelligence 11g, version 11.1.1.6.2BP1 and above.
(Copy of the Vendor Homepage:
http://www.oracle.com/technetwork/middleware/bi-foundation/bi-mobile-hd-1983913.html
)
(Copy of the APP Homepage:
https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side
validation web vulnerability in the official Oracle Business
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-27: Researcher Notification & Coordination (Benjamin Kunz Mejri -
Evolution Security GmbH)
2014-11-01: Vendor Notification (Oracle Sec Alert Team - Acknowledgement
Program)
2015-02-25: Vendor Response/Feedback (Oracle Sec Alert Team - Acknowledgement
Program)
2015-04-15: Vendor Fix/Patch (Oracle Developer Team)
2015-05-01: Bug Bounty Reward (Oracle Sec Alert Team - CPU Bulletin
Acknowledgement)
2015-05-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Oracle
Product: Business Intelligence Mobile HD 11.1.1.7.0.2420
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The Vulnerability Laboratory Research Team discovered an application-side
validation web vulnerability in the official Oracle Business
Intelligence Mobile HD v11.1.1.7.0.2420 iOS web-application.
The vulnerability is located in the input field of the dasboard file export
name value of the local save (lokal speichern) function.
After the injection of a system specific command to the input field of the
dasboard name the attacker is able to use the email function.
By clicking the email button the script code gets wrong encoded even if the
attachment function is activated for pdf only. The wrong
encoded input of the lokal save in the mimeAttachmentHeaderName
(mimeAttachmentHeader) allows a local attacker to inject persistent
system specific codes to compromise the integrity of the oracle ib email
function.
In case of the scenario the issue get first correct encoded on input and the
reverse encoded inside allows to manipulate the mail context.
Regular the function is in use to get the status notification mail with
attached pdf or html file. For the tesings the pdf value was
activated and without html.
The security risk of the filter bypass and application-side input validation
web vulnerability is estimated as medium with a cvss (common
vulnerability scoring system) count of 3.8. Exploitation of the persistent web
vulnerability requires a low privilege web application user
account and low user interaction. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing, persistent
external redirects, persistent load of malicous script codes or persistent web
module context manipulation.
Vulnerable Module(s):
[+] Lokal speichern - Local save
Vulnerable Parameter(s):
[+] mimeAttachmentHeaderName
(mimeAttachmentHeader)
Affected Service(s):
[+] Email - Local Dasboard File
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by local privilege
application user accounts with low user interaction.
For security demonstration or to reproduce the security vulnerability follow
the provided information and steps below to continue.
Manual reproduce of the vulnerability ...
1. Install the oracle business intelligence mobile hd ios app to your apple
device
(https://itunes.apple.com/us/app/oracle-business-intelligence/id534035015)
2. Register to your server service to get access to the client functions
2. Click the dashboard button to access
3. Now, we push top right in the navigation the local save (lokal speichern)
button
4. Inject system specific payload with script code to the lokal save dashboard
filename input field
5. Switch back to the app index and open the saved dashboard that as been saved
locally with the payload (mimeAttachmentHeaderName)
6. Push in the top right navigation the email button
7. The mail client opens with the wrong encoded payload inside of the mail with
the template of the dashboard
8. Successful reproduce of the security vulnerability!
PoC: Email - Local Dasboard File
<meta http-equiv="content-type" content="text/html; ">
<div>"><[PERSISTENT INJECTED SCRIPT CODE!]"></x></div><div><br><br></div><br>
<fieldset class="mimeAttachmentHeader"><legend
class="mimeAttachmentHeaderName">"><"x">%20<[PERSISTENT INJECTED SCRIPT
CODE!]>.html</legend></fieldset><br>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and filter validation
of the local dashboard file save module.
Encode the input fields and parse the ouput next to reverse converting the
context of the application through the mail function.
The issue is not located in the apple device configuration because of the
validation of the mimeAttachmentHeaderName in connection with the email
function is broken.
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in
the oracle mobile application is estimated as medium. (CVSS 3.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
Evolution Security GmbH ™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/