Oracle WebDb engine brain-damagse

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

Ladies and gentlemen, here's something tasty:

// Standard disclaimer applies. This post expresses my personal beliefs
// and convinctions only. I am speaking as a private person. All the
// statements were been provided for informative purposes only, and have
// to be verified by the reader. NONE OF THE INFORMATION BELOW SHOULD BE
// USED FOR ANY PURPORSES EXCEPT VULNERABILITY TESTING OF YOUR LOCAL
// SITE. BY USING IT TO ATTACK OTHER SITES, YOU WILL BECOME RESPONSIBLE
// FOR ALL DAMAGES. All examples are provided *only* to demonstrate this
// problem is serious and to enable sysadms to react immediately.

-----------------
Affected software
-----------------

Vulnerable item has been identified as "Oracle WebDb" PL/SQL proxy (?),
which is apparently used as a part of Oracle Internet Application Server
(IAS) installations. IAS is the leading dynamic-content / database
connectivity engine in our small, commercial WWW world :> My knowledge of
this product is somewhat limited, and I am not really interested in
tracing where and when this component is used in commercial solutions - it
seems to be present in numerous installations around the globe - that's
enough to report this problem here. Feel free to provide additional
information or to correct me if I am wrong.

------
Impact
------

First of all, I've located some website running WebDb engine. I will use
(purely theoretical) example of www.<bigcarcompany>.co.uk in my
demonstration. Any coincidence is purely accidential.

Our favourite game - sending stupid (HTTP) queries to "dynamic" part of
their webserver (actually, this is a gate to IAS subsystem, in this case
in /somedir, you should be redirected there almost immediately - I've used
http://www.<bcc>.co.uk/somedir/blahblah) causes WebDb error message, which
looks this way:

18/Dec/2000:02:53:51

ORA-06550: line 5, column 2:
PLS-00201: identifier 'BLAHBLAH' must be declared
ORA-06550: line 5, column 2:
PL/SQL: Statement ignored

  DAD name: something
  PROCEDURE  : BLAHBLAH
  URL        : http://www.<bcc>.co.uk:80/somedir/blahblah?
  PARAMETERS :
  ===========

  ENVIRONMENT:
  ============
    SERVER_PORT=80
    SERVER_SOFTWARE=Oracle WebDb Listener 2.1
    /.../
    HTTP_USER_AGENT=Mozilla/4.61 [en] (X11; I; Linux 2.2.12-20 i686; Nav)
    /.../

<on_problems>

Got "404 Not found" error? No reason to panic. First of all, check if it's
IAS for sure. There are two general cases - IAS installations where single
configuration is possible vs multiple DADs might be declared (in first
case, you will usually find www.site.com/WebDB directory on the server, in
second case, there should be /pls directory). In both cases, sometimes you
will have to determine real DAD directory by sending bad parameters to
dynamic contents, like
http://www.<bcc>.co.uk/somedir/realscript?aaaa=bbbb. Error message will
show you the correct path (use something existing as 'realscript'):

ORA-06550: line 7, column 2:
PLS-00306: wrong number or types of arguments in call to 'REALSCRIPT'
/.../
VARIABLES IN FORM NOT IN PROCEDURE: AAAA

  DAD name: somedad
  /.../
    SCRIPT_PREFIX=/pls

Then, you have to use /pls/somedad/ in your futher requests. DAD name can
be found as well using second hole described below (be patient).

</on_problems>

Next attempt ("exit" instead of "blahblah"):

ORA-06550: line 5, column 2:
PLS-00376: illegal EXIT statement; it must appear inside a loop
ORA-06550: line 5, column 2:
PL/SQL: Statement ignored

...interesting, isn't it? Is this software trying to *INTERPRET*
user-supplied data just like any other SQLish query? Aghhhr... After
playing a little bit more, I've found a way to bypass whitespaces within
queries (single ' ' is rejected, but '\t' is passed, woow):

http://www.<bcc>.oo.uk/somedir/select%09*%09from%09(tablename)

ORA-06550: line 5, column 2:
PLS-00428: an INTO clause is expected in this SELECT statement

Isn't that BEAUTIFUL? It is!:> If something is wrong, it will instruct you
on proper syntax! I've never seen something like that... erm, not, I am
lying :P But, neverthless, it looks awesome! No, I won't make another
step, building working SELECT to browse thru databases (I do not want to
be sued by BigCarCompany ;). Of course, SELECT isn't the only one
possibility... Script kiddies, please read some book on OAS/SQL queries
syntax. Or better, do not try this at all.

Looking for another good example of this problem? Well, vendors should
give the best example: www.oracle.com. PLEASE RECALL THE DISCLAIMER.

----
Risk
----

Well, any attacker can browse thru databases, execute any database access
code etc. If you're bank or you're having any confidential information
within your databases, you *should* be scared. Not to mention write
privledges, which are essential in some systems!

------------------
Vulnerable systems
------------------

I've used Google with rather simple query to locate mere subset of
vulnerable installations (well, "subset" means some really poorly
configured sites - this query has been prepared to find known patterns in
OAS error messages; of course, in well-configured systems, webcrawler
shouldn't index such error messages at all when following existing links):

http://www.google.com/search?q=procedure+dad+environment+%22ora-06550%22+url

Again, please remember about the disclaimer and about legal and ethical
aspects of this case.

Output is pretty interesting. Large Internet / real-world companies, some
other interesting sites... And we are still talking about maybe 5% of
poorly configured installations. 95% won't produce random error messages
on indexing attempt... In this case, websearch engine can't replace
by-hand URL modifications to see if OAS engine is present behind the web
frontend. Oracle solutions are used by banks and other institutions where
such problem might be really dangerous, so be careful :)

---------------------------------
Now, a "feature" (documented bug)
---------------------------------

There are some even more dangerous problems. For example, there's
well-documented "backdoor" feature, administrator access to www->db proxy
without authorization (mentioned in Oracle documentation, but without any
warning messages like "disable it immediately", and most of the
installations are running with this default - again, www.oracle.com is one
of the best examples ;). Most of the sites mentioned above are vulnerable
(try /pls/admin_/? or /WebDB/admin_/). You have to use passwords for
/WebDB, but you do not need it for /WebDB/admin_/...  Aghrrr... You do not
believe it is documented? See:

http://www.orca.tv/pls/orcai/admin_/help/webdb.htm
http://www.oraclefans.com/oraclefans/forum/web/messages/82.html
http://www.google.com/search?q=admin_+webdb&btnG=Google+Search

You can not only obtain DAD names, but completely reconfigure web engine,
change default page, table names, change passwords etc.

There were some other exploits on IAS by ADM, IIRC, ask them if you really
want to know.

------------
Conclusions?
------------

No. It is completely secure. Sleep well ;) Or, to be serious, these
problems seems to be really dangerous. Considering there seems to be some
unpublished problems, as well, I wouldn't feel good using this software,
but I guess you should ask Oracle representatives, maybe I am completely
wrong, their website is secure and there is no problem.


--
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=