Exploit for Vulnerability in Oracle Communications Cloud Native Core Security Edge Protection Proxy CVE-2021-2471

Name: Exploit for Vulnerability in Oracle Communications Cloud Native Core Security Edge Protection Proxy CVE-2021-2471
Rating: 5 (343 reviews)
2021-10-22 | CVSS 7.9
## https://sploitus.com/exploit?id=1ABBFD5B-BD80-517D-91BA-3CC3F84F5664
# CVE-2021-2471 - XXE in MySQL Connector/J

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior.
</br>
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.

### Disclaimer:

This vulnerability was found by Xu Yuanzhen of Alibaba Cloud Security Team and Hongkun Chen of Alibaba.
</br>
This PoC is provided for research purposes. Do not use it to attack targets that you do not have explicit permission to exploit.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://www.oracle.com/security-alerts/cpuoct2021.html).

### Proof Of Concept:

The XXE vulnerability consists of a XML containing malicious DTD Entities being received by a MysqlSQLXML component and is triggered when the getSource() function is called.
</br>

As seen in the code below from the mysql-connector-java-8.0.26.jar, when the DOMSource class is given as argument to the getSource() function, it exposes a DocumentBuilder in an unsafe way such that, if an attacker controls the content of the inputSource passed to the builder, he/she could leverage it for obtaining XXE:

```
public <T extends Source> T getSource(Class<T> clazz) throws SQLException {
        try {
            this.checkClosed();
            this.checkWorkingWithResult();
            InputSource reader;
            if (clazz != null && !clazz.equals(SAXSource.class)) {
                SQLException sqlEx;
                if (clazz.equals(DOMSource.class)) {
                    try {
                        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
                        builderFactory.setNamespaceAware(true);
                        DocumentBuilder builder = builderFactory.newDocumentBuilder();
                        if (this.fromResultSet) {
                            inputSource = new InputSource(this.owningResultSet.getCharacterStream(this.columnIndexOfXml));
                        } else {
                            inputSource = new InputSource(new StringReader(this.stringRep));
                        }

                        return new DOMSource(builder.parse(inputSource));
```

There are 2 ways in which to pass the malicious XXE to the MysqlSQLXML:
- Using the sqlxml.setString() function (if the attacker can call or propagate arbitrary input to the setString function)
- Placing the XML in the DB and retrieving it via a result set using the resultSet.getSQLXML() function (if the attacker has write access to the DB, or can point the victim to an attacker-controlled database)

### Additional Resources:

[PoC XXE using sqlxml.setString()](Test.java)
</br>
[PoC XXE using resultSet.getSQLXML()](https://github.com/SecCoder-Security-Lab/jdbc-sqlxml-xxe/blob/main/src/main/java/me/threedr3am/bug/jdbc/sqlxml/xxe/oracle/OracleJDBC.java)
</br>
[Download vulnerable JAR](https://downloads.mysql.com/archives/get/p/3/file/mysql-connector-java-8.0.26.zip)
</br>
[Other XXE Payloads](https://github.com/payloadbox/xxe-injection-payload-list)