Bugtraq mailing list archives
Oracle Web Listener 4.0.x
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Wed, 15 Mar 2000 00:21:04 -0000
Cerberus Information Security Advisory (CISADV000315) http://www.cerberus-infosec.co.uk/advisories.shtml Released: 15th March 2000 Name: Oracle Affected Systems : Oracle Web Listener 4.0.x on Windows NT Issue: Attackers can run arbitrary commands on the web server Description *********** The Cerberus Security Team has discovered a number of issues with Oracle's Web Listener, part of the Oracle Application Server, that can allow a remote attacker to run arbitrary commands on the web server Details ******* Part of the problem is caused by default settings after OAS has been installed. The "ows-bin" virtual directory on an Oracle Web Listener is the equivalent of the "cgi-bin" on other web servers and by default this is set to C:\orant\ows\4.0\bin - this directory not only contains a number of batch files, DLLs and executables but also the binary image file for the Listener itself. Even if this default setting has been changed however you may still be at risk if you have batch files in the new "ows-bin" directory. Arbitrary Command Execution *************************** The Oracle Web Listener will execute batch files as CGI scripts and by making a request to a batch file that requires one or more arguments it is possible to execute any command the attacker wants by building a special query string. For example the following will give a directory listing: http://charon/ows-bin/perlidlc.bat?&dir It is even possible to use UNC paths so the Listener will connect to the remote machine over NBSession, download the executable and then execute it. By default the Web Listener process runs in security context of SYSTEM so any commands issued by an attacker will run with SYSTEM privileges. Another problem is that the Listener will expand the "*" character so even if the attacker doesn't know the name of a real batch file in the "ows-bin" they can request *.bat?&command Executables *********** Some of the executables in the default directory allow attackers to kill services, return configuration information and cause other undesirable events to occur. Solution: ********* Due to the severity of this problem Cerberus recommends that the following be actioned immediately. If "ows-bin" is the default then using the Oracle Application Server Manager remove the ows-bin virtual directory or point it to a more benign directory. If "ows-bin" is not the default then verfiy that there are no batch files in this directory. A check for this has been added to Cerberus' security scanner, CIS available from their website. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd
Current thread:
- Re: Our old friend Firewall-1, (continued)
- Re: Our old friend Firewall-1 Chris Brenton (Mar 15)
- TESO & C-Skills development advisory -- imwheel Sebastian (Mar 16)
- Re: TESO & C-Skills development advisory -- imwheel WHiTe VaMPiRe (Mar 19)
- Re: TESO advisory -- wmcdplay Kris Kennaway (Mar 11)
- CSS Exploits + RDS (IE5) Shane Hird (Mar 12)
- Advisory Update: ServerIron TCP/IP predictability fixed Andrew van der Stock (Mar 12)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Darron Froese (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Matt Davis (Mar 17)
- Re: Exploit for Mandrake 6.1 (PAM/userhelper bug) Jeremy Gault (Mar 21)
- Oracle Web Listener 4.0.x Cerberus Security Team (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed H D Moore (Mar 14)
- Re: Advisory Update: ServerIron TCP/IP predictability fixed Max Vision (Mar 16)
- FreeBSD Security Advisory: FreeBSD-SA-00:07.mh [REVISED] FreeBSD Security Officer (Mar 19)
- Bypassing IP filters in Bordermanager 3.5 Roy Sigurd Karlsbakk (Mar 15)
- Local / Remote DoS Attack in MERCUR WebView WebMail-Client 1.0 for Windows 98/NT Vulnerability Ussr Labs (Mar 15)
- Certificate Validation Error in Netscape Browsers... Dennis W. Mattison (Little Wolf) (Mar 15)
- TESO & C-Skills development advisory -- kreatecd Sebastian (Mar 16)
- Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies Richard Sheng (Mar 16)
- Exploit for Mandrake 6.1 (PAM/userhelper bug) Paulo Ribeiro (Mar 14)
- Re: TESO advisory -- wmcdplay Wichert Akkerman (Mar 13)