UPDATE: 12-8-2013 – Added screenshot below
Where: From local network
Impact: Manipulation of data, Exposure of sensitive information
Solution Status: Vendor Patch
Software: Oracle Forms and Reports 11.x
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 220.127.116.11, 18.104.22.168, and 22.214.171.124 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component.
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 126.96.36.199, 188.8.131.52, and 184.108.40.206 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet.
I am upset about the way these two vulnerabilities were handled on many levels. When I first reported these vulnerabilities they responded that they weren’t actually vulnerabilities. Another thing, the actual details were never released publicly or in documentation from Oracle so IDS/IPS vendors have no rules to add to block the vulnerabilities from being exploited. The two built in functions that were exploitable were not mentioned specifically. The only code update they released was code rewrite in future versions of the software 12.x and above. They didn’t actually release a patch but only vague instructions on how to address the vulnerabilities in older versions of the software and only agreed to do this after I pressured them to do it. They also failed to mention this didn’t just effect 11.x but 10.x as well. I am unsure about versions before this. They also trivialized the severity of the vulnerabilities and said the vulnerability is exploitable from “the local network”. I am also a bit upset that they didn’t attribute the specific vulnerabilities to me but instead decided to just dump all of us who reported vulnerabilities for that CPU into a single bucket.
I am upset because Oracle database servers are used to store important information. You don’t buy Oracle database software to keep a to-do list up to date. These databases often store very sensitive data sets. Oracle database software isn’t cheap and a lot of customers choose stick with older versions.
I can assure you that there are a LOT of vulnerable servers out there right now that could easily be broken into using a web browser from anywhere on the Internet.
Due to the vagueness of the advisories that were released I am unsure which CVE applies to which vulnerability but I am going to explain what you can do if you had the knowledge to exploit them.
The first one I reported involved using a web browser, unauthenticated, to have the server dump the database user/password to the screen. Yes, the user/password that the Oracle application uses.
The second, even more severe one, allowed me to use an unauthenticated web browser to browse the file system of the server. I had access to every single file that the oracle account had access to. Yes, even the .ssh folder *shiver* and could download any file I wanted. Needless to say if there was an ssh key that could access other servers without authentication well, you get the idea. You could break into numerous servers behind the firewall. Another unnamed person discovered a way to use my vulnerability to actually plant files on the server. You can also use the vulnerable Oracle server as a proxy to enter the private network it is on to access other web and ftp servers behind the firewall.
Even though I have painfully taken all the steps to responsibly disclose this vulnerability to the vendor, my ethics prevent me from publishing the actual exploit technique. These exploits being made public could seriously impact a lot of people in a bad way. Security researchers would get a huge chuckle when they saw how trivial it was to exploit this, however.
UPDATE: Screenshot of one exploit.
Dana Lane Taylor