Unauthenticated Blind SSRF in Oracle EBS


John M
John M
Feb 12, 2019 · 2 min read

Every security consultant I know let’s out a slight sigh when given a 1 day web application assessment of a popular off the shelf product. None the less there are often vulnerabilities to be found whether that be in the clients implementation of said product or in the product itself.

The below SSRF was found on one such test it is fairly low risk, only allowing the enumeration of ports on internal/external hosts, but may be of interest to some.

The Exploit

I found this exploit when fuzzing an endpoint involved in a previous XXE exploit, something I often do as in my experience developers will often make mistakes when rushing to patch a vulnerability.

During this fuzzing process I put in a basic DOCTYPE declaration and through some “handy collaborator” shenanigans found that something was trying to resolve the DNS of the supplied URL.

The resultant request looked something like the below request (after removing redundant headers/parameters, and redacting target details).

POST /OA_HTML/lcmServiceController.jsp HTTP/1.1
Host: victim.com
Content-Length: 56
<!DOCTYPE root PUBLIC "-//B/A/EN" "http://burpcollaboratorpayload:80">

To which… my request timed out. However, I got a DNS hit in my Burp issue log indicating something was happening but it was likely a firewall was messing with the request.

After trying TCP/443 (HTTPS) and getting the same result, I enlisted the help of a colleague to listen for requests across a large range of ports on an external IP and enumerated the port number accordingly (“80” in the above request).

This resulted in three types of responses

  • Timeout (indicating that a Firewall dropped the request)
Image for post
Image for post
Example Response (in this case indicating SSH is open on localhost)

So using that information it was possible to enumerate hosts/ports both internally and externally by monitoring the type of response returned.

In addition by using file:// it’s possible to enumerate the existence of files. I did try other protocols/methods in the hopes of catching a hash but unfortunately this proved to not be possible in this specific instance.

Disclosure Timeline

  • April 2018: Issue discovered and reported to Oracle

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store