Oracle Secure Backup Administration preauth variable command injection

2010-12-06T00:00:00
ID SAINT:D1ED7BE748AC49448015045483682261
Type saint
Reporter SAINT Corporation
Modified 2010-12-06T00:00:00

Description

Added: 12/06/2010
CVE: CVE-2010-0906
BID: 41597
OSVDB: 67128

Background

Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.

Problem

A vulnerability in the Administration server allows remote, authenticated attackers to execute arbitrary commands which are specified within a specially crafted **preauth** parameter.

Resolution

Apply the Critical Patch Update for July 2010.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-122/>

Limitations

Exploit works on Oracle Secure Backup 10.3.0.1.0 and requires a valid user and password for Oracle Secure Backup Administration Server.

The exploit requires the 'smbclient' program.

The target must be able to access the specified SMB share anonymously.

Valid SMB user credentials with the writable permission to the specified SMB share are required.

This exploit requires the IO::Socket::SSL PERL module.

Platforms

Windows