The purpose of this post is to present a technical report of the CVE-2013-5880 vulnerability. This bug was found on a bug hunt weekend.
Oracle Demantra is a demand management, sales and operations planning, and trade promotions management solutions, which was acquired by Oracle in 2006. It was curious to note no previously vulnerabilities had been identified, which made this a very interesting candidate for research.
Vulnerable System:
- Oracle Demantra 12.2.1
Vulnerability Description:
Demantra uses an Authorization Filter that analyses each request made to the web application. The authorization filter is based on one main file located in the security folder in the root directory. This file is called “authorizationUnsecureURLs.txt”.
There is a vulnerability relating to the way the authorization filter handles input that allows a malicious attacker to bypass authentication.
The authorizedUnsecureURLs contains a list of all pages that can be accessed without a proper authenticated session. When opened the file looks like this:
#This file contains a list of all demantra URLs considered safe for an unauthenticated user. #This means that anyone can access these pages, and no security checks whatsoever are done on requests #for these pages. #WARNING!!! CHANGING ANYTHING IN THIS FILE CAN SERIOUSLY AFFECT PROGRAM USABILITY AND/OR COMPROMISE SECURITY!!!! #After altering page, for changes to take effect server must be restarted. #Login /portal/loginpage.jsp /common/loginCheck.jsp /portal/partnerLogin.jsp /workflow/login.jsp /LoginServlet /portal/DOLLogin.jsp /portal/remoteloginpage.jsp /admin/adminManagement.jsp /portal/userManagement.jsp /portal/adminLogin.jsp /portal/anywhereLogin.jsp /portal/launchDPWeb.jsp /common/changePassword.jsp #Error Pages /common/ForbiddenErrorPage.jsp /portal/notAuthorizedAdmin.jsp /workflow/notLoggedIn.jsp /portal/notLoggedIn.jsp /portal/generalErrorPage.jsp /portal/notFoundErrorPage.jsp #Engine /BatchForecastServlet /SimulationServlet #BM /ServerDetailsServlet #DB /NotificationServlet #Integration /common/prelogin.jsp /WorkflowServer #Other /ConnectionServlet /portal/checkSessionExpiration.jsp
The main class is located at :
- WEB-INF/classes/com/demantra/security/server/authorization/AuthorizationFilter.class
The AuthorizationFilter class loads all the pages in a list and intercepts any request made to the application. The requested URL is then checked through the isSecureURL function which is defined in:
- WEB-INF/classes/com/demantra/security/server/SessionAuthenticationFilter.class
The function looks like this:
protected boolean isSecureURL(String url) { boolean isSecure = true; List safeUrls = getSafeUrls(); if(safeUrls != null) { Iterator i$ = safeUrls.iterator(); do { if(!i$.hasNext()) break; String safeUrl = (String)i$.next(); if(url.indexOf(safeUrl) != -1) isSecure = false; } while(true); } return isSecure; }
Each request is matched against the URL list defined in the authorizationUnsecureURLs.txt file. However, the code has a design flaw that can be exploited.
Let’s assume we have a URL like this:
- demantra/common/loginCheck.jsp
This will then be compared with the following code:
url.indexOf(safeURL)
safeURL() contains the allowed URL list, which contains
- /common/loginCheck.jsp
which will allow any user to view that page.
A malicious attacker can abuse this check due to the insecure usage of indexOf(). Let’s see what the definition of indexOf() says:
int indexOf(String str)
This returns the index within this string of the first occurrence of the specified substring. If it does not occur as a substring, -1 is returned.
As we can see it only check if there is an occurrence of the string, it does not actually check the full URL, which allows an attacker to do things that shouldn’t be possible to do.
Let’s assume an attacker wants to access:
- /demantra/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=5&menuGroupName=Applications&tkn=-308184887676887
This request would fail as the user would need to be authenticated to access the above URL.
However, if the URL is constructed like:
- /demantra/common/loginCheck.jsp/../../portal/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=5&menuGroupName=Applications&tkn=-308184887676887
This would be a valid request as the isSecureURL() would return true due to the fact that /common/loginCheck.jsp exists and is a valid URL to be accessed unauthenticated.
Impact:
A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract data from the database or retrieve files from the system. In some cases this could also lead to arbitrary code execution
Recommendation:
Please see the Oracle CPU for remediation: