CVE-2010-3585
published 2010-10-14CVE-2010-3585: Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability…
PriorityP265critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
52.71%
98.8th percentile
Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a third party researcher that this is related to the exposure of unspecified functions using XML-RPC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | vm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for XML-RPC POST requests to /RPC2 on TCP port 8899 (ovs-agent) containing the 'utl_test_url' methodCall with shell meta-characters in the second parameter, indicating command injection attempts. ↗
- →Detect HTTP Basic Auth attempts to the ovs-agent service using the hardcoded username 'oracle' on port 8899 over SSL; any successful authentication followed by an XML-RPC call to utl_test_url should be treated as suspicious. ↗
- →A time-based detection heuristic can be used: if a 'sleep 3' command injected via utl_test_url causes a 3–4 second delay in the XML-RPC response, the target is confirmed vulnerable. ↗
- →The exploit sends Content-Type 'application/xml' via HTTP POST to /RPC2; alert on this combination targeting port 8899 with a methodCall body referencing 'utl_test_url'. ↗
- ·SSL is enabled by default in the exploit module; detection infrastructure must be capable of inspecting SSL/TLS traffic on port 8899 to observe the malicious XML-RPC payloads. ↗
- ·Valid credentials are required to exploit this vulnerability; unauthenticated probes to port 8899 will not trigger the injection. Detection rules should account for authenticated sessions preceding the malicious methodCall. ↗
- ·The ovs-agent service typically runs with root privileges, meaning successful exploitation yields full system compromise; prioritize alerting accordingly. ↗
- ·The exploit deliberately disables HTTP junk_params and junk_slashes Metasploit options to ensure reliable delivery; detection signatures should not rely on the presence of those evasion artifacts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)
exploitdb·2010-10-25·CVSS 9.0
CVE-2010-3585 [CRITICAL] Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)
Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)
---
##
# $Id: oracle_vm_agent_utl.rb 10821 2010-10-25 20:58:49Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle VM Server Virtual Server Agent Command Injection',
'Description' => %q{
This module exploits a command injection flaw within Oracle\'s VM Server
Virtual Server Agent (ovs-agent) service.
By including shell meta characters within the second parameter to the 'utl_test_url'
XML-RPC methodCall, an attacker can execute arbitrary commands. The service
Metasploit
Oracle VM Server Virtual Server Agent Command Injection
metasploit
Oracle VM Server Virtual Server Agent Command Injection
Oracle VM Server Virtual Server Agent Command Injection
This module exploits a command injection flaw within Oracle\'s VM Server Virtual Server Agent (ovs-agent) service. By including shell meta characters within the second parameter to the 'utl_test_url' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges. NOTE: Valid credentials are required to trigger this vulnerable. The username appears to be hardcoded as 'oracle', but the password is set by the administrator at installation time.
No writeups or analysis indexed.
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlhttp://www.securityfocus.com/archive/1/514611/100/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA10-287A.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlhttp://www.securityfocus.com/archive/1/514611/100/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA10-287A.html
2010-10-14
Published