unSecurityResearch LLC

Application Security Expert

  • Increase font size
  • Default font size
  • Decrease font size

Published Advisories

E-mail Print PDF

The following advisories were discovered by Travis Emmert.

Published Advisories - 2015

Ext ID Title Remote / Pre-Auth Published Date Severity
CVE-2015-2033 InfoBlox - NetMRI/Network Automation Remote Command Injection yes / yes 2.19.15 High

NetMRI is vulnerable to a pre-authentication command injection issue that results in arbitrary command execution as root. /terminal/anyterm-module is configured to proxy through to anytermd. Not releasing my exploit currently.

InfoBlox didn't provide much info to their customers when they fixed this issue, it was mentioned in the release notes at:

https://support.infoblox.com/app/answers/detail/a_id/3666/kw/NETMRI-23483

"NETMRI-23483 – Corrected security issue with command injection via Anyterm Daemon."

That fact that thiis pre-auth and the injection occurs as root would be very helpful for customers when deciding to patch.

Published Advisories - 2013

Ext ID Title Remote / Pre-Auth Published Date Severity
CVE-2013-5813 Oracle WebCenter Content SQL Injection yes / yes 10.15.13 High

WebCenter Content by default allows anonymous users to access the area that was vulnerable to SQL injection, I disagree with how Oracle scored this CVE due to this. This flaw was originally reported and fixed as CVE-2012-0083. Oracle attempted to resolve the issue by implementing some broken blacklist logic. The blacklist checked for white space characters, if found the request was rejected. The blacklist was missing \x0b or Vertical Tab, which the Oracle DB considers a white space character. You could also just avoid the use of any white space in your injection.

CVE-2013-3770 Oracle WebCenter Content iDoc Script Injection yes / yes 07.16.13 High

WebCenter Content uses a custom scripting language called iDoc. The scripting language is implemented in Java, and has various security features and sandboxing. All of those security features fall apart with iDoc script injection. The iDoc script injection vulnerability is two part. First I found flaws within the actual implementation of iDoc that allowed for better exploitation options. Second I found dozens of places where iDoc script could be injected into WebCenter Content by anonymous attackers.

The following code snippet demonstrates a flaw in the iDoc script engine:

<$fileName="../../../../../security/SerializedSystemIni.dat"$><$executeService("GET_LOGGED_SERVER_OUTPUT")$><$ServerOutput$>

<$fileName="../../../../../config/config.xml"$><$executeService("GET_LOGGED_SERVER_OUTPUT")$><$ServerOutput$>

This iDoc script, if injected would leak the encryption key and encrypted password for the weblogic admin.

Where the iDoc script injections exist, I wont detail here.

If you are attempting to find your own iDoc script injections, try injecting:

<$x=1$><$loopwhile x>0$><$x=1$><$endloop$>

You'll notice quickly if your injection worked, since the server will fail to respond.

Several Oracle Mobile Database Server Remote Code Execution yes / yes 1.15.13 High

Several code execution vulnerabilities and data leak flaws. Depending on configuration the data leak flaws can turn into code execution.

CVES: CVE-2013-0361 CVE-2013-0366 CVE-2013-0362 CVE-2013-0363 CVE-2013-0364

Published Advisories - 2012

Ext ID Title Remote / Pre-Auth Published Date Severity
CVE-2012-3199 Solaris local privilege escalation in gnome trusted extensions
no / no 10.15.12 Medium

An easy to exploit Solaris privilege escalation that yields root privileges.

Several Oracle Imagine and Process Management
yes / yes 10.15.12 Medium

Numerous vulnerabilities within Oracle IPM. A couple lead to execution of arbitrary code. Various vulnerability classes and severity for the rest of the vulnerabilities.

CVES: CVE-2012-0106 CVE-2012-0071 CVE-2012-0093 CVE-2012-0107 CVE-2012-0086 CVE-2012-0090 CVE-2012-0092 CVE-2012-0108 CVE-2012-0095

CVE-2012-0079
Oracle OpenSSO Cross-Site Scripting
yes / yes 1.15.12 Medium

Within the OpenSSO login sequence an attempt is made to prevent CLRF injection attacks. When a CLRF injection attack is detected, an error page is displayed. This error page is vulnerable to cross-site scripting. This xss payload can be embedded in the target URL that the OpenSSO filter is protecting. The xss payload will then follow the user through the login process and execute immediately after the user has authenticated.

CAS-1064
Jasig CAS Service CLRF Injection
yes / yes 1.1.12 low

The login service is prone to CLRF injection attacks which can be utilized to steal  user credentials. More details in original Jasig vulnerability report here: https://issues.jasig.org/browse/CAS-1064

Published Advisories - 2011

Ext ID Title Remote / Pre-Auth Published Date Severity
ZDI-11-278
Novell Cloud Manager Insufficient Framework User Validation Vulnerability
yes / yes 9.3.11 high

The login GWT request accepts a single argument. By default that argument is NULL, but if you send a fully initialized object that object will be tied to your session and the login code will not check creds. This object is later checked by individual GWT/RPC requests to verify authorization. By constructing a specially crafted login request its possible bypass authentication and make privileged RPC calls.

CVE-2011-0848
Oracle Enterprise Manager Grid Control Authentication/Authorization Bypass
yes / yes 7.19.11 high

Reported this directly to Oracle since I didn't have time to create a fully functioning exploit. Wish I went to ZDI since I missed out on a few $

In emCORE.jar exists the EMLoginServlet class, it contains a snipet of code that looks something like this:

while(...) {

String value = request.getParemeter(key);

session.setAttribute(key,value);

}

This allows for arbitrary session modification. The session is used to store the HMAC private key that signs the EM_AUTH_USERID cookie. This allows an attacker to craft a login request that sets the HMAC key to a known value, allowing subsequent requests to contain EM_AUTH_USERID cookie's that will be accepted. Also note that the EM_AUTH_USERID is vulnerable to remote timing attacks due to the use of strcmp, not sure if oracle fixed that.

With single sign on (SSO) enable exploitation is even easier.

ZDI-11-018
Oracle Database and Enterprise Manager Grid Control Remote Code Execution
yes / yes 1.18.11 high

ZDI Advisory

Found this one 30 minutes after my first time installing Oracle Database.

http(s)://hostname:(1158|4889)/em/ecm/csa/v10103/CSAr.jsp

Port 1158 for 11g Database and port 4889 for Enterprise Manager Grid Control.

Look for the following lines of code: outputFile = XMLOutputDir + "CSA" + sessionID + currTS + ".xml";

sessionID is a string controlled by the requester and can contain null bytes to help remove that pesky xml extension.

File will be created at http(s)://hostname:(1158|4889)/em/

ZDI-11-020
Oracle Beehive voice-servlet Remote Code Execution
yes / yes 1.18.11 high

ZDI Advisory

You really dont need anymore information than '/voice-servlet/prompt-qa/Index.jspf' and \x00

ZDI-11-017
Oracle Audit Vault av.action Remote Code Execution
yes / yes 1.18.11 high

ZDI Advisory

On port 5700 the oracle audit vault clients utilize the 'ActionServlet' to communicate with the server. The ActionServlet exposes the ManagementServiceImpl class through reflection. With a simple syntax clients can invoke methods of the ManagementServiceImpl class and receive results, or save the results for more complex multi-requests interactions.

ManagementServiceImpl inherits from the class Object (like all classes) . The ActionServlet not only exposes the desired methods defined in ManagementServiceImpl, it also exposes the inherited methods from the Object class. This allows an attack to call Object.getClass. From there an attacker can utilize java's built in dynamic programming techniques to instantiate arbitrary objects and invoke their methods.

ZDI-11-016
Oracle Real User Experience Insight rsynclogdird SQL Injection
yes / yes 1.18.11 high

ZDI Advisory

The process that intercepts and parses network traffic ("panther") will write log messages when it encounters possible issues with the traffic it is receiving. Once such issue is when it detects a POST parameter in a http or https request that has a parameter name over 1024 characters. It then writes an info log message to /var/opt/ruei/processor/log/ with regard to this parameter.

The rsynclogdird process will then parse the log files and insert them into the central RUEI database. The rsynclogdird process escapes the user supplied POST parameter name as an ascii string. The underlying Oracle database will view the sql statement as a UTF-8 encoded string. By using multibyte UTF characters it is possible to bypass the ascii style sql escape protections and inject arbitrary sql. Example character \xde'

Published Advisories - 2010

Ext ID Title Remote / Pre-Auth Published Date Severity
ZDI-10-189
Novell eDirectory array index denial of service yes / yes 9.15.10 low

ZDI Advisory

ZDI advisory explains it all, user supplied index is trusted and not verified.

ZDI-10-178
Novell PlateSpin Orchestrate Graph Rendering remote code execution
yes / yes 9.15.10 high

ZDI Advisory

The PlateSpin Orchestrate server uses Ganglia 3.0.4 which in turn uses rrdtool version 1.2.12 for creating graphs.

PlateSpin exposes Ganglia under /monitor/graph.php

An attacker can invoke rrdtool with near arbitrary arguments. rrdtool is vulnerable to several heap overflow and format string vulnerabilities. (-f and --font)

ZDI-10-143
Novell Sentinel Log Manager remote code execution
yes / yes 8.09.10 high

ZDI Advisory

The fileDownload servlet will allow you to download the pg auth file that contains the usernames and passwords. Arbitrary files cannot be downloaded due to some filtering, but you can still get the file with the usernames and passwords.

The reportPluginUpload servlet allows an attacker to upload a report plugin. If a user executes the report the code in the plugin is executed.  To get the format right for a report, just download a report from the server and replace the class files with your own modified ones.

CVE-2010-0916
Oracle Sun Solaris rdist local privilege escalation
no 7.13.10 medium

Oracle Advisory
CVE-2010-0916

Example of heap overflow:

/usr/bin/rdist -cDwh file_that_is_hardlink rlogin_host:LONG_STRING

When processing a hard-link and an overly long destination path a heap overflow will occur

src/cmd/cmd-inet/usr.bin/rdist/server.c
function savelink() line: 584 strcpy(lp->target, Tdest);

ZDI-10-024 Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability yes / yes 3.2.10 low

ZDI Advisory
Novell Advisory

ZDI-10-021 Novell NetStorage xsrvd Long Pathname Remote Code Execution Vulnerability yes / yes 2.23.10 high

ZDI Advisory
Novell Advisory

The java gui is just a wrapper around an apache module and some back-end C processes.  The requests are passed through the apache module and into xsrvd. Once xsrvd has received the request through a unix domain socket it will do a wide path conversion and then check the credentials.  The conversion is done before actually checking the creds, and that is where our overflow exists.

With vulns like this, it makes me glad to sell them to ZDI. There is no doubt this vuln will be used in the wild, or already has.


ZDI-10-001 Novell iManager eDirectory Plugin Remote Code Execution Vulnerability yes / yes 1.7.10 high

ZDI Advisory
Novell Advisory

The real vulnerability is not the buffer overflow, but figuring out how to trigger it without needing to authenticate.


Published Advisories - 2009

Ext ID Title Remote / Pre-Auth Published Date Severity
6821298 Solaris heap overflow vulnerability in the w(1) utility no / no 10.9.09 meduim

Sun Advisory
xorl write up

The xorl write up gives a great overview. Not mentioned is that the UTMP log file can be updated with mostly attacker controlled data using another setuid binary. Exploitation was too difficult for me at the time, but pen-testers I've talked to have successfully written exploits.


784 IBM AIX muxatmd Buffer Overflow Vulnerability no / no 04.15.09 meduim

iDefense Advisory
IBM Advisory

Changing the value of argv[0] to an overly long string causes a buffer overflow when it attempts to concat .pid to the end of the string. Discovered by watching truss and seeing it opening a file that was muxatmd.pid. Changed argv[0] to see if ../../ type attacks would work; they do not because it copies whats after the last /  Then tried a long string, and core dump.


802 IBM AIX libc MALLOCDEBUG File Overwrite Vuln no / no 04.15.09 meduim

iDefense Advisory
IBM Advisory

Found this while reading the release notes for an older AIX release.  Figured if MALLOCDEBUG values were honored by setuid binaires there was a good chance of privilege escalation. iDefense did a good job of working with me on this since I didn't  actually notice the best attack vector until a couple weeks after sending them the case. First vulnerability ever sold.


 

Early in my career I released advisories giving credit to 1c239c43f521145fa8385d64a9c32243, which is the MD5 hash of my name.

MD5("Travis Emmert") = 1c239c43f521145fa8385d64a9c32243

Last Updated on Friday, 20 February 2015 02:16