UPDATE: 1-21-2014 Created a new shell video and am posting it here. “I know, I am tired. All of your data are belong to us. ”
I discovered two vulnerabilities in Oracle Forms and Reports which affected 10.x and 11.x and possibly older versions. The first vulnerability, reported in April 2011, allowed you to dump database passwords using an unauthenticated web browser. The first response from Oracle?
We have looked into the issue and we have concluded that this is not a vulnerability.
They made the claim it was simply a configuration error? I was absolutely shocked by their reply. They basically forgot about the first vulnerability and then came along a second vulnerability I discovered and reported to them in October 2011 that allowed you to do the following with an unauthenticated web browser.
- View the filesystem in the web browser
- Download any file that the Oracle account has access to (ssh keys, etc)
- Load external pages inside the browser (the Oracle server grabs the external page for you)
- Use as a proxy to probe and access applications on the private network
- Use it to access it’s own applications that are blocked by a firewall such as the EM console
After reporting the second vulnerability I reminded them of the first and here were my exact words.
This would be the second time I reported this. The first time I was told there was just a configuration error. I would like to publically disclose this vulnerability (starting with a vetted security list ) then disclosing to the general public. Oracle has not identified this as a vulnerability and don’t seem concerned with it.
I am asking, point blank. Does Oracle consider this as just a configuration error? If I don’t hear confirmation in the next week I will surmise that this isn’t a vulnerability and that it is okay for me to disclose.
They responded the same day.
Hi Dana. As you requested, we have reviewed your original report and had additional discussions with our development group. We have concluded that this issue does in fact constitute a vulnerability.
We will be tracking this issue as:
S0110556 – <REDACTED>
November 2011 I got another email from them that included the second vulnerability.
Tracking #: S0109006
Status: Under investigation / Being fixed in main codeline
Tracking #: S0110556
Status: Under investigation / Being fixed in main codeline
I shared this information with a vetted security list and the University of Texas at Austin Information Security Office found a way to use this vulnerability to plant files on the server which turned this vulnerability into a horrifically dangerous one. Kudos for that find! They believe the CVE is
CVE-2012-1734. Can’t be this CVE
I continued to receive monthly status updates until they finally released the “patch”. Actually, they didn’t release a patch, they simply did a code rewrite for version 12.x and released documentation for workarounds that likely didn’t get implemented due to the low priority these vulnerabilities were given.
So, I sent this email a few days ago.
I have been contemplating releasing exploit code for the <REDACTED VULN #2/3> which includes planting of files to gain a remote shell on the host. I am having a real hard time with this due to knowing the exploit being made public could cause a lot of systems to become compromised. Since Oracle downplayed the impact of this vulnerability and only implemented workarounds, which were less likely to be implemented than a patch, there are likely a lot of servers out there that are still vulnerable.
Here are two examples of the exploits being performed against systems not protected from the <REDACTED VULN #2/3> vulnerability. I made sure not to include the exploit code in the videos.
Planting a phishing page.
I am having discussions with HD Moore of Metasploit/Rapid7 about full disclosure of these vulnerabilities. I have already gotten permission from the University of Texas to release their add-on to my vulnerability that allows the planting of files.
Would appreciate your feedback.
Here is their response
Hi Dana. Thank you for letting us know about your plans. Of course, we would prefer that exploit code not be released as it puts our customers at risk. However, if you do go forward with your plan we would like to request the following:
1) Please include references to the MOS notes that provide workarounds
for 10g in your publication. These are:
2) Please recommend to customers still using 10g that they upgrade to
3) Also, please note in your publication that 10g is currently not
Once again, thank you for working with us on this issue.
I am not sure if there was a misunderstanding or what but they did in fact end up releasing a patch for 11.x. I was told there was going to be a code rewrite for 12.x and workarounds for older versions. I am a bit suspicious of this thinking they may have snuck an actual patch in at a later date.
In any event, as you can see by Oracle’s response, they are willing to let older versions of the software remain vulnerable if workarounds were not put in place. The low severity rating means their are probably more vulnerable servers out there than if it received a high rating. And for versions older than 10.x am not sure a workaround even exists. There are a lot of companies and governments that still use outdated versions of Oracle Reports and a simple Google search tells me they are out there. Government entities are usually way behind on software versions.
inurl:reports/rwservlet site:gov About 1,660,000 results
inurl:reports/rwservlet site:us About 827,000 results
inurl:reports/rwservlet About 3,900,000 results
A lot of the results will be duplicates but you get the idea.
So, in closing, my intentions are to hand over the the exploits to Metasploit/Rapid7 and let them take it from there. I was really hoping Oracle would respond that they would go ahead and release patches for older versions but that didn’t happen. Perhaps this will be a lesson to them to treat serious vulnerabilities seriously.
BTW, I am also planning on disclosing the first vulnerability as well which seems to have not been fixed.