Skip to content ↓ | Skip to navigation ↓

Remote exploit code for Oracle Forms and Reports 11.1 (CVE: 2012-3152), software which is extremely popular with government customers, has been published on the Exploit Database by exploit author Mekanismen.

Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT) took a look at the code, and provided the following analysis of the attack sequence utilized.

“This is a multi-part attack. The first step is using the /reports/rwservlet/showmap path which apparently discloses information about the system. The attack extracts details (<SPAN>(.*)</SPAN></TD>) about the server which are passed to the mysterious undocumented PARSEQUERY function (/reports/rwservlet/parsequery).”

“For each of the SPAN tags, a parsequery request is made which is checked for user and server names. When it gets a response with these details, it tries to use them to access the showenv script (/reports/rwservlet/showenv?server=#{server}&authid=#{authid}) to find an absolute file path on the target server.”

“This is necessary for the final step of uploading an arbitrary file such as a backdoor servlet page. The file upload uses a flaw in the rwservlet application which allows for a user specified URL to be downloaded and placed in a user-specified location on the server.”

“The proof of concept application uploads into the images directory (/reports/images/<shell>.jsp) with a random name so that only the attacker will find it.”