Hacking Oracle Reports 11g

UPDATE: There are actually two CVE-VULNERABILITIES here. CVE-2012-1734 which was discovered using my vulnerability that allows planting of files. Credit goes to  the University of Texas at Austin Information Security Office.

Please review http://blog.netinfiltration.com//2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/

Also review – re: Future of phishing http://blog.netinfiltration.com//2013/11/04/phishing-becomes-more-targeted-as-security-controls-increase/

This is a video demonstrating of some of the things you can do with CVE-2012-3152 if the workaround hasn’t been put in place. There are more uses but not going to include them in this video. URLs used to exploit are not included and no, I will not share the exploit code outside of helping businesses evaluate their systems.

This vulnerability allows you to do the following with an unauthenticated web browser. Whatever access the oracle account has it what you have.

  • Browse the file sysytem
  • Download files
  • Plant files
  • Use the web server as a proxy to access systems behind a firewall (not included in video)

A well planned attack using this vulnerability could lead to serious damage for a company or organization. Phishing, stealing data, infiltration of networks behind a firewall and more. Oracle didn’t seem to take this vulnerability as seriously as they should have so I decided to show what can be done with it. At this time I am not releasing exploit code though I have went above and beyond responsible disclosure.

If you are able to view /reports/rwservlet/showmap then you may be vulnerable. Contact Oracle support with reference vulnerability tracking #S0109006 or reference CVE-2012-3152. If you like, you can contact me from your company email address and I might help you verify if your servers are vulnerable.