mateeuslinno/Oracle-Attip-Xml-Entity-Exploit

XML Entity Expansion at Service Bus CVE-2019-2576

As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running.

10kb more request is returned.

Subject: XML ENTITY EXPANSION CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Subject: XML Entity Expansion Defect in OSB CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Subject: SOAP IMPLEMENTATION SUBJECT TO XML ENTITY EXPANSION VULNERABILITY CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References :

• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

• https://nvd.nist.gov/vuln/detail/CVE-2019-2576

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2576

• https://www.securityfocus.com/bid/107946

Cloning an Existing Repository ( Clone with HTTPS )


root@slife:~# git clone https://github.com/omurugur/Oracle-Attip-Xml-Entity-Exploit.git

Cloning an Existing Repository ( Clone with SSH )


root@slife:~# git clone git@github.com:omurugur/Oracle-Attip-Xml-Entity-Exploit.git

Contact :

Mail : omurugur12@gmail.com

Linkedin : https://www.linkedin.com/in/omurugur-sibergüvenlik/

GitHub : https://github.com/omurugur

Donate!

Support the authors:

mateeuslinno / Oracle-Attip-Xml-Entity-Exploit