Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)

03 november 2020

door Viktor Gazdag

Vendor: Oracle
Vendor URL: https://www.oracle.com/
Versions affected: 8.0.0.0-8.4.0.5
Systems Affected: Oracle Communications Diameter Signaling Router
CVE Identifier: CVE-2020-14787 (XSS), CVE-2020-14788 (SQL Injection)
Advisory URL: https://www.oracle.com/security-alerts/cpuoct2020.html
Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (SQL injection)
Risk: Medium - 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting)
Authors:
Viktor Gazdag - viktor.gazdag[at]nccgroup[dot]com
Ioannis Charalambous - ioannis.charalambous[at]nccgroup[dot]com

Summary

Based on the Oracle product documentation page, “Oracle Communications Diameter Signaling Router is a market-leading cloud-ready Diameter signaling controller solution that centralizes routing, traffic management and load balancing, creating an architecture that enables IMS and LTE networks to be truly elastic and adapt to increasing service and traffic demands while optimizing the network resources.” The DSR web interface was vulnerable to reflected Cross-Site Scripting and SQL injection that allowed unauthenticated users to inject JavaScript code into the webpage and authenticated users to retrieve information such as password hashes from the database.

Impact

The reflected XSS allowed an unauthenticated attacker to inject JavaScript code such as extracting and stealing the CSRF token from the web page or redirecting users to an attacker controlled site.

The SQL injection could be exploited by an authenticated lower privileged user to enumerate the database and gain higher privileges by cracking the password hashes from the database.

Details

Reflected XSS

An example URL of the vulnerable page is the following:

https://IP:Port/rbar/suppappl/index?gridfilter_col=applId gridfilter_op=%3D gridfilter_val=test go=go

As a proof of concept, an alert box can be shown with the following payload:

"><script>alert(1)</script><" gridfilter_op=%3D gridfilter_val=ncc"><script>alert(1)</script><

The filterBox form element in the response contained the submitted payload that closed the HTML form tag and showed a popup window:

<form id='filterBox' method="GET" action="/rbar/suppappl/index?gridfilter_col=applId"><script>alert(1)</script><" gridfilter_op=%3D gridfilter_val=ncc"><script>alert(1)</script>< go=go"> </form>

SQL Injection

An example URL of the vulnerable page is the following:

https://IP:Port/admin/ajax/snmpdata?module=admin controller=snmp action=grid scope=test start=0 count=25

The following payload was used for the boolean-based blind SQL injection in the URL:

Parameter: scope (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: module=admin controller=snmp action=grid scope=test') AND 5330=5330 AND ('Ytrv'='Ytrv start=0 count=25

Recommendation

Upgrade to Oracle Communications Diameter Signaling Router 8.5.

Vendor Communication

2020-02-14 Advisory reported to Oracle
2020-02-14 Oracle received and started to track the security bugs
2020-02-24 Oracle automatic status report update (Under investigation / Being addressed in main codeline)
2020-03-24 Oracle automatic status report update (Under investigation / Being addressed in main codeline)
2020-04-16 Status update request sent to Oracle
2020-04-16 Oracle replied to status update request
2020-05-23 Oracle automatic status update (Under investigation / Being addressed in main codeline)
2020-06-24 Oracle automatic status update (Under investigation / Being addressed in main codeline)
2020-07-24 Oracle automatic status update (Under investigation / Being addressed in main codeline)
2020-08-24 Oracle status report changed to "Issue addressed in main codeline, scheduled for a future"
2020-09-24 Oracle automatic status update (Issue addressed in main codeline, scheduled for a future)
2020-10-20 Oracle issued Critical Patch Update (CPU) with CVE
2020-10-25 Oracle automatic status update (Alert or CPU issued)
2020-10-26 Request was sent to Oracle to add to the CPU the missing consultant's name
2020-10-27 Oracle updated the CPU with missing name
2020-11-03 Technical Advisory published by NCC Group 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: 03/11/2020

Written by: Viktor Gazdag