Since many commercial sales, network storage, and social relations companies currently use Oracle Responsys' cloud solutions, the vulnerability affects several well-known company services, including Facebook, Linkedin, Dropbox, and more.
Responsys: Originally a leading enterprise-level B2C cloud marketing software provider, the company mainly provides online advertising marketing software to enterprises, helping enterprises to conduct marketing promotion and communication through email, website, mobile device, social network and display advertising. On December 21, 2013, Oracle announced a $1.5 billion acquisition, which later became Oracle Responsys. Responsys has further integrated and extended many customer relationship cloud services such as Oracle Business Cloud, Sales Cloud, Service Cloud, Social Cloud and Marketing Cloud.
Responsys provides an enterprise-level B2C business service model. After an enterprise uses the Responsys cloud service solution for system setup, Responsys will assign each client enterprise a "private IP" that is different from other enterprises to access and use its own cloud services. system.
Vulnerability discovery
This is somewhat unintentional. I often receive some developer emails from Facebook in my mailbox. Some of these emails are sent from the mailbox with the domain name em.facebookmail.com, just like I often have some emails from fbdev in my mailbox. Mail from @em.facebookmail.com, which caught my attention. Vulnerability mining thinking made me think that the domain name em.facebookmail.com might be interesting, so after some DIG, I found that the domain name is related to Facebook's "Responsys" cloud service, and in other penetration testing scenarios I have previously "Responsys" knows something.
As can be seen from the above figure, Responsys provides Facebook with a mail service based on the domain name em.facebookmail.com. And I also found the original link to the Responsys mail service in an email sent to me by [email protected]:
http://em.facebookmail.com/pub/cc?_ri_=X0Gzc2X%3DWQpglLjHJlYQGkSIGbc52zaRY0i6zgzdzc6jpzcASTGzdzeRfAzbzgJyH0zfzbLVXtpKX%3DSRTRYRSY&_ei_=EolaGGF4SNMvxFF7KucKuWNhjeSKbKRsHLVV55xSq7EoplYQTaISpeSzfMJxPAX8oMMhFTpOYUvvmgn-WhyT6yBDeImov65NsCKxmYwyOL0.
The function of the parameter "_ri_=" is to generate a valid request for the link. After some testing I found that the Facebook system can't handle the secondary URL encoding correctly here, you can add any correct query parameter value in the link before "_ri_=", for example, I can add here about password query " %252fetc%252fpasswd " command, and can be successfully executed:
http://em.facebookmail.com/pub/sf/%252fetc%252fpasswd?_ri_=X0Gzc2X%3DYQpglLjHJlYQGrzdLoyD13pHoGgHNjCWGRBIk4d6Uw74cgmmfaDIiK4za7bf4aUdgSVXMtX%3DYQpglLjHJlYQGnnlO8Rp71zfzabzewzgLczg7Ulwbazahw8uszbNYzeazdMjhDzcmJizdNFCXgn&_ei_=Ep0e16vSBKEscHnsTNRZT2jxEz5WyG1Wpm_OvAU-aJZRZ_wzYDw97ETX_iSmseE
Generally speaking, the practice of obtaining information about the target server through the injection of directory traversal characters is caused by improper review and filtering of the code and system architecture.
learn by analogy
Soon, I also realized that the vulnerability should not only affect Facebook, but may also pose a security threat to companies that use Responsys to provide private cloud services. Google search, you can find that a large number of company websites have this vulnerability:
Using this vulnerability, by constructing valid _ri_ request parameters, you can directly obtain some internal server information of the target company, such as Linkedin:
The impact of this local file inclusion (LFI) vulnerability can be as small as information leakage or as large as the server being controlled by an attack. From the perspective of the LFI vulnerability of the Responsys architecture, it is relatively serious, because it will cause data security risks to a large number of companies using Responsys services.
In the end, I chose to report this vulnerability to Oracle in a timely manner, and a week later, the vulnerability was effectively fixed and resolved by Oracle.
The original text comes from: http://www.yunweipai.com/archives/18858.html
Address of this article: https://www.linuxprobe.com/oracle-responsys.html Editor: Guo Jianpeng, Auditor: Pang Zengbao