Oracle Virtual Server Agent Command Injection

Added: 11/26/2010
CVE: CVE-2010-3582
BID: 44031

Background

Oracle VM software provides virtualization technology that allows running multiple instances of x86 virtual computers simultaneously within the host operating system. It supports many Oracle and non-Oracle based systems such as Windows, Linux and Oracle Solaris. There are two major parts to Oracle VM: the Oracle VM Manager and the Oracle VM Server. The Manager is a web based console used to manage the Oracle VM server. The Oracle VM Server is composed of Xen hypervisor, Oracle VM Agent, and a customized Linux kernel. The Oracle VM Manager communicates with the Oracle VM Server Agent using the **XML-RPC** specification to manage virtual machines.

Problem

A command injection vulnerability exists in Oracle VM. The vulnerability is due to an input validation error in the proxy parameters of the **utl_test_url** function in Oracle VM Server Agent when processing **XML-RPC** requests. A remote authenticated attacker can exploit this vulnerability to inject and execute arbitrary commands with root privileges.

Resolution

Apply the Oracle VM patches referenced in Oracle Critical Patch Update Advisory for October 2010.

References

<http://secunia.com/advisories/41827/&gt;

Limitations

Exploit works on Oracle VM 2.2.1.

A valid Oracle VM Agent user’s credentials must be provided to the exploit script.

The exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/&gt;.

Platforms

Linux