Vulnerabilities > CVE-2013-1559 - Remote Code Execution vulnerability in Oracle Fusion Middleware 10.1.3.5.1/11.1.1.6.0

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
oracle
nessus
exploit available
metasploit
NVD
Published: 2013-04-17
Updated: 2013-10-11

Summary

Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows remote authenticated users to affect availability via unknown vectors related to Content Server.

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Exploit-Db

descriptionOracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution. CVE-2013-1559. Remote exploit for windows platform
idEDB-ID:25979
last seen2016-02-03
modified2013-06-05
published2013-06-05
reportermetasploit
sourcehttps://www.exploit-db.com/download/25979/
titleOracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution

Metasploit

descriptionThis module exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This module abuses the control to execute an arbitrary HTA from a remote location. This module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0.
idMSF:EXPLOIT/WINDOWS/BROWSER/ORACLE_WEBCENTER_CHECKOUTANDOPEN
last seen2020-06-10
modified2019-08-02
published2013-06-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/oracle_webcenter_checkoutandopen.rb
titleOracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution

Nessus

NASL familyCGI abuses
NASL idORACLE_WEBCENTER_CONTENT_APR_2013_CPU.NASL
descriptionThe version of Oracle WebCenter Content installed on the remote host is potentially affected by multiple vulnerabilities in the Content Server component.
last seen2020-06-01
modified2020-06-02
plugin id69478
published2013-08-20
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/69478
titleOracle WebCenter Content (April 2013 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69478);
  script_version("1.10");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id("CVE-2013-1503", "CVE-2013-1522", "CVE-2013-1559");
  script_bugtraq_id(59107, 59110, 59122);

  script_name(english:"Oracle WebCenter Content (April 2013 CPU)");
  script_summary(english:"Checks the version of Oracle WebCenter Content");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle WebCenter Content installed on the remote host
is potentially affected by multiple vulnerabilities in the Content
Server component.");
  # https://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c0f55176");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the April 2013 Oracle
Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1522");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/20");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_webcenter_content_detect.nasl");
  script_require_keys("installed_sw/Oracle WebCenter Content", "Settings/ParanoidReport");
  script_exclude_keys("Settings/disable_cgi_scanning");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

appname = "Oracle WebCenter Content";

if (report_paranoia < 2) audit(AUDIT_PARANOID);

get_install_count(app_name:appname, exit_if_zero:TRUE);

port = get_http_port(default:80);

install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);

version = install['version'];
dir = install['path'];

install_url = build_url(port: port, qs:dir);

matches = eregmatch(string:version, pattern:"([0-9.]+) \(([0-9.]+)\)");
if (isnull(matches)) audit(AUDIT_VER_FORMAT, version);
main_ver = matches[1];
sub_ver = matches[2];

report = '';

if(main_ver == "11.1.1.6.0")
{
  # Patch 16163273
  # 11gR1-11.1.1.6.0-idcprod1-130212T001239 
  fix_dt = 130212;
  fix_ts = 1239;

  temp = split(sub_ver, sep:"T", keep:FALSE); 
  if(int(temp[0]) < fix_dt ||
    (int(temp[0]) == fix_dt && int(temp[1]) < fix_ts))
  {
    report = '\n  Installed Version : ' + main_ver + ' (' + sub_ver + ')' +
             '\n  Fixed Version     : 11.1.1.6.0 (130212T001239)' +
             '\n  Required Patch    : 16163273\n';
  }
}
else if(main_ver == "10.1.3.5.1")
{
  # Patch 16163273
  # 10.1.3.5.1 (130313)
  fixed_build = 130313;
  build = int(sub_ver);
  if(build < fixed_build)
  {
    report = '\n  Installed Version : ' + main_ver + ' (' + sub_ver + ')' +
             '\n  Fixed Version     : 10.1.3.5.1 (130313)' +
             '\n  Required Patch    : 16163273\n';
  }
}

if(report == '')
  audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, version);

if(report_verbosity > 0)
  security_warning(extra:report, port:port);
else security_warning(port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/121848/oracle_webcenter_checkoutandopen.rb.txt
idPACKETSTORM:121848
last seen2016-12-05
published2013-06-02
reporterrgod
sourcehttps://packetstormsecurity.com/files/121848/Oracle-WebCenter-Content-CheckOutAndOpen.dll-ActiveX-Remote-Code-Execution.html
titleOracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution

Saint

bid59122
descriptionOracle WebCenter Content CheckOutAndOpen.dll ActiveX Control Vulnerability
osvdb92386
titleoracle_webcenter_content_checkoutandopendll_openwebdav
typeclient

References