Oracle Endeca Server createDataStore method command execution

Added: 09/04/2013
CVE: CVE-2013-3763
BID: 61217
OSVDB: 95269

Background

Oracle Endeca Server is a hybrid search-analytical database.

Problem

A vulnerability in the controlSoapBinding service allows remote attackers to execute arbitrary commands by sending a request for the createDataStore method with a specially crafted dataFiles parameter.

Resolution

Apply the patch referenced in the July 2013 Critical Patch Update.

References

http://www.zerodayinitiative.com/advisories/ZDI-13-190/

Limitations

Exploit works on Oracle Endeca Server 7.4.0 on Windows Server 2008 R2 SP1 (DEP OptOut).

Platforms

Windows

Back to exploit index