XML Entity Expansion at Service Bus CVE-2019-2576

Overview:

As can be seen in the following request / response example, the xml entity expansion attack can be performed, and this attack can send requests that exceed the existing memory and processor capacities, causing memory bottlenecks and preventing the service from running. 10kb more request is returned.

Subject: XML ENTITY EXPANSION CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Subject: XML Entity Expansion Defect in OSB CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Subject: SOAP IMPLEMENTATION SUBJECT TO XML ENTITY EXPANSION VULNERABILITY CVSSv3.0 Base Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

• https://nvd.nist.gov/vuln/detail/CVE-2019-2576

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2576

• https://www.securityfocus.com/bid/107946

Download

Cloning an Existing Repository ( Clone with HTTPS )

root@slife:~# git clone https://github.com/omurugur/Oracle_Attip_XML_Entity_Exploit.git

Cloning an Existing Repository ( Clone with SSH )

root@slife:~# git clone git@github.com:omurugur/Oracle_Attip_XML_Entity_Exploit.git

Contact

Mail : omurugur12@gmail.com

Linkedin : https://www.linkedin.com/in/omurugur-sibergüvenlik/

GitHub : https://github.com/omurugur

Twitter : https://twitter.com/omurugurrr

Medium : https://omurugur.medium.com/

Donate!

Support the authors: