[guru] Oracle biztonsagi hibak
DATE: Tue, 09 Mar 2010 00:56:23 +0100
XSS hibákat találtak az Oracle E-Business Suite OAErrorDetailPage.jsp
lapján.
XSS hibát találtak az Oracle Siebel CRM rendszerében.
Az Oracle Solaris UCODE_GET_VERSION ioctl NULL deref hibát okoz a kernelben.
--- Begin Message ---
Hacktics Research Group Security Advisory
http://www.hacktics.com/#view=Resources%7CAdvisory
By Gil Cohen, Hacktics.
9-Feb-2010
===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, certain
vulnerabilities were identified in an Oracle E-Business Suite deployment.
Further research has identified that a web interface showing user errors are
vulnerable to reflected cross site scripting attacks.
A friendly formatted version of this advisory is available in:
http://www.hacktics.com/content/advisories/AdvORA20100209.html
===============
II. The Finding
===============
The XSS vulnerability appears in the error details page,
OAErrorDetailPage.jsp when the server is in diagnostics mode, and requires
an additional preliminary step to invoke. When an application error occurs,
the application presents a general error message with a link to the detailed
error page. The detailed error page is vulnerable to scripting attacks
embedded in input sent to the page that caused the error. An attacker can
exploit this by sending users or administrators a malicious link that causes
an error and contains a malicious script, and urges them to navigate to the
details page causing the malicious script to be executed.
Hacktics' research classifies the risk of the vulnerability as Low, due to
the combination of the non default diagnostic mode, and the complex
invocation scenario, which reduce the probability of successfully exploiting
this vulnerability.
============
III. Details
============
The XSS vulnerability requires that an error is raised first, through
OA.jsp. The page that receives the malicious script and raises the error
resides at the following address:
http://foo.bar:fooport/OA_HTML/OA.jsp?page=/oracle/apps/fnd/framework/naviga
te/webui/HomePG&homePage=aaaa'a&OAPB=bbbb'b&transactionid=malicious_script
The application then displays a general error message with a link to a more
detailed error page (OAErrorDetailPage.jsp). When the user navigates to the
vulnerable error details page, the script executes:
http://foo.bar:fooport/OA_HTML/OAErrorDetailPage.jsp
===========
IV. Exploit
===========
The exploit is performed by replacing malicious_script with the relevant
Javascript payload.
===================
V. Affected Systems
===================
The vulnerability was identified in version 12.1.1.
==============================
VI. Vendor's Response/Solution
==============================
Oracle's security alerts group has been notified of this vulnerability in
early November 2009.
The vulnerability has been acknowledged by Oracle, and has already been
fixed in the Jul-2009 CPU:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuj
ul2009.html
Oracle has also pointed out that this vulnerability is only applicable when
the system is in diagnostics mode. Customers are recommended to avoid
running their systems in diagnostics mode while in production.
===========
VII. Credit
===========
The vulnerability was discovered by Gil Cohen from Hacktics Ltd.
---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel
Web: www.hacktics.com
--- End Message ---
--- Begin Message ---
=======================================================
Yaniv Miron aka "Lament" Advisory Feb 27, 2010
Oracle Siebel 7.x CRM (7.7, 7.8 tested) Cross Site Scripting Vulnerability
=======================================================
=====================
I. BACKGROUND
=====================
Siebel Customer Relationship Management (CRM) Applications
The world's most complete customer relationship management (CRM) solution,
Oracle's Siebel CRM helps organizations differentiate their businesses to
achieve maximum top-and bottom-line growth. It delivers a combination of
transactional, analytical, and engagement features to manage all
customer-facing operations. With solutions tailored to more than 20 industries,
Siebel CRM delivers:
Comprehensive on premise and on demand CRM solutions.
Tailored industry solutions.
Role-based customer intelligence and pre-built integration.
http://www.oracle.com/us/products/applications/siebel/index.htm
=====================
II. DESCRIPTION
=====================
A malicious attacker may inject scripts into the Oracle Siebel CRM application.
=====================
III. ANALYSIS
=====================
Exploitation of this vulnerability results in the execution of arbitrary
code using a malicious link.
=====================
IV. EXPLOIT
=====================
http://example.com/htim_enu/start.swe/?>'"><script>alert('XSS by Lament')</script>
=====================
V. DISCLOSURE TIMELINE
=====================
Jan 2009 Vulnerability found
Jan 2009 Vendor Notification
Feb 2010 Public Disclosure
=====================
VI. CRETID
=====================
Yaniv Miron aka "Lament".
lament@ilhack.org
--- End Message ---
--- Begin Message ---
Please find attached a detailed advisory of the vulnerability.
Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2010-001.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL
Pointer Dereference
Advisory ID: TKADV2010-001
Revision: 1.0
Release Date: 2010/01/31
Last Modified: 2010/01/31
Date Reported: 2009/11/29
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Solaris 10 with 127128-11 and w/o 143913-01 (x86)
OpenSolaris build snv_69 through snv_133 (x86)
Remotely Exploitable: No
Locally Exploitable: Yes
Vendor URL: http://www.oracle.com, http://www.sun.com/
Vendor Status: Vendor has released an updated version
Patch development time: 61 days
CVE-ID: CVE-2010-0453
======================
Vulnerability Details:
======================
The kernel of Oracle Solaris contains a vulnerability in the code that
handles UCODE_GET_VERSION IOCTL requests.
The vulnerability allows a local unprivileged user the ability to panic a
Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer
dereference. The ability to panic a system is a type of Denial of Service
(DoS).
The issue can be triggered by sending a specially crafted IOCTL request to
the kernel.
==================
Technical Details:
==================
The following source code references are based on the kernel source code
available from http://www.opensolaris.org.
intel/io/ucode_drv.c:
[..]
static int
ucode_ioctl(dev_t dev, int cmd, intptr_t arg, int mode, cred_t *cr, int
*rval)
{
..
switch (cmd) {
case UCODE_GET_VERSION: {
int size;
uint32_t *revp, *rev_array;
ucode_errno_t rc = EM_OK;
STRUCT_DECL(ucode_get_rev_struct, h);
STRUCT_INIT(h, mode);
[1] if (ddi_copyin((void *)arg,
STRUCT_BUF(h), STRUCT_SIZE(h), mode))
return (EFAULT);
[2] if ((size = STRUCT_FGET(h, ugv_size)) > NCPU)
return (EINVAL);
if ((rev_array = STRUCT_FGETP(h, ugv_rev)) == NULL)
return (EINVAL);
size *= sizeof (uint32_t);
[3] revp = kmem_zalloc(size, KM_SLEEP);
if (ddi_copyin((void *)rev_array, revp, size, mode) != 0) {
kmem_free(revp, size);
return (EINVAL);
}
[4] rc = ucode_get_rev(revp);
[..]
[1] The struct 'h' is filled with user controlled IOCTL input data.
[2] The value of 'size' derives from user controlled data.
[3] If 'size' has a value of 0, kmem_zalloc() will return NULL. This
results in revp pointing to NULL.
[4] 'revp' is used as a function parameter for ucode_get_rev().
i86pc/os/microcode.c:
[..]
/*
* Returns microcode revision from the machcpu structure.
*/
ucode_errno_t
ucode_get_rev(uint32_t *revp)
{
int i;
ASSERT(ucode);
ASSERT(revp);
if (!ucode->capable(CPU))
return (EM_NOTSUP);
mutex_enter(&cpu_lock);
for (i = 0; i < max_ncpus; i++) {
cpu_t *cpu;
if ((cpu = cpu_get(i)) == NULL)
continue;
[5] revp[i] = cpu->cpu_m.mcpu_ucode_info->cui_rev;
[..]
[5] This assignment leads to a NULL pointer dereference as 'revp == NULL'.
=========
Solution:
=========
This issue is addressed in the following patch releases from Oracle/Sun:
x86 Platform
- Solaris 10 with patch 143913-01 or later
- OpenSolaris based upon builds snv_134 or later
====================
Disclosure Timeline:
====================
2009/11/29 - Initial vendor notification
2009/11/30 - Oracle/Sun confirms the vulnerability
2010/01/08 - Status update by Oracle/Sun
2010/01/25 - Status update by Oracle/Sun
2010/01/29 - Patch 143913-01 released for Solaris 10
2010/01/31 - Release date of this security advisory
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[REF1] http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1
[REF2] http://www.trapkit.de/advisories/TKADV2010-001.txt
========
Changes:
========
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
===========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
==================
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2010 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP
Charset: utf-8
wj8DBQFLZVx1kXxgcAIbhEERAk3LAJ44NNQKGUbHu1AIHcZWpysW0cQ7HQCg9DcX
7rqrkip5hSx+zx3PfcqzOOk=
=CWdo
-----END PGP SIGNATURE-----
--- End Message ---