Oracle Web Listener 4.0.x

[CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)]

Cerberus Information Security Advisory (CISADV000315)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released: 15th March 2000
Name: Oracle
Affected Systems     : Oracle Web Listener 4.0.x on Windows NT
Issue: Attackers can run arbitrary commands on the web
server

Description
***********
The Cerberus Security Team has discovered a number of issues with Oracle's
Web Listener, part of the Oracle Application Server, that can allow a
remote attacker to run arbitrary commands on the web server

Details
*******
Part of the problem is caused by default settings after OAS has been
installed.
The "ows-bin" virtual directory on an Oracle Web Listener is the equivalent
of the
"cgi-bin" on other web servers and by default this is set to
C:\orant\ows\4.0\bin
- this directory not only contains a number of batch files, DLLs and
executables
but also the binary image file for the Listener itself. Even if this default
setting
has been changed however you may still be at risk if you have batch files in
the
new "ows-bin" directory.

Arbitrary Command Execution
***************************
The Oracle Web Listener will execute batch files as CGI scripts and by
making a
request to a batch file that requires one or more arguments it is possible
to
execute any command the attacker wants by building a special query string.

For example the following will give a directory listing:

http://charon/ows-bin/perlidlc.bat?&dir

It is even possible to use UNC paths so the Listener will connect to the
remote
machine over NBSession, download the executable and then execute it.

By default the Web Listener process runs in security context of SYSTEM  so
any
commands issued by an attacker will run with SYSTEM privileges.

Another problem is that the Listener will expand the "*" character so even
if
the attacker doesn't know the name of a real batch file in the "ows-bin"
they
can request *.bat?&command

Executables
***********
Some of the executables in the default directory allow attackers to kill
services,
return configuration information and cause other undesirable events to
occur.

Solution:
*********
Due to the severity of this problem Cerberus recommends that the following
be actioned
immediately.

If "ows-bin" is the default then using the Oracle Application Server Manager
remove
the ows-bin virtual directory or point it to a more benign directory. If
"ows-bin"
is not the default then verfiy that there are no batch files in this
directory.
A check for this has been added to Cerberus' security scanner, CIS available
from
their website.

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of  "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd