SecurityvulnsSECURITYVULNS:DOC:9221Run any OS Command via unauthorized Oracle Forms
Name Run any OS Command via unauthorized Oracle Forms
Systems Affected Oracle (Web) Forms 4.5, 5.0, 6.0, 6i, 9i, 10g
Severity High Risk
Category OS command execution
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 18 July 2005 (V 1.00)
Advisory AKSEC2003-013
Inital bug report 664 days ago
Details
Oracle Forms Services, a component of the Oracle Application Server, is Oracle's long-established technology to design and build enterprise applications. Oracle itself is using Oracle Forms for the E-Business Suite. Many large customers are using Oracle Forms for their enterprise applications.
Oracle Forms Services starts forms executables (*.fmx) from any directory and any user on the application server. These forms are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), SMB, Webutil, SAMBA, NFS, FTP, …
By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user.
Testcase:
-
Create or modify a simple forms module and add the following command to the
"WHEN_NEW_FORM_INSTANCE"-Trigger
Host('ls > forms_is_unsecure.txt' , NO_SCREEN); -
Generate the forms executable (e.g. hacker.fmx) for the destination platform (e.g. Linux, Solaris, Windows, …)
-
Copy the forms executable hacker.fmx to a directory on the Oracle Application Server
(e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, …) -
Run the form "hacker.fmx" as user Oracle and specify an absolute path for the forms executable
http://myserver.com:7779/forms90/f90servlet?form=/public/johndoe/hacker.fmx
or
http://myserver.com:7779/forms90/f90servlet?module=/tmp/hacker.fmx -
The host command is executed as user Oracle (Unix) or user SYTEM (Windows).
Workaround for Oracle Forms 10g
Use the parameter restrictedURL in the configuration file formsweb.cfg. The parameter restrictedURL is a new feature in Forms 10g and
restricts the end user (or hacker) from overriding all the parameters listed in the restrictedURLparams.
Keep in mind that it is important to block the form and the module parameter.
[myFormsApp1]
form=…
restrictedURLparams=form,module
Workaround for Oracle Forms 6i/9i or 10g
Do not allow users to upload content to the Application Server (e.g. via SMB, Webdav, SAMBA, FTP, …)
or
Use URLRewrite to block potential dangerous URLs with module or form parameter and absolute or relative paths
Block the following strings: "form=…", "module=…", "form=/", "module=/" , "form=c:\", "module=c:\", "form=d:\" …
If you need different locations for your forms modules you could specify these locations in the FORMS90_PATH / FORMS60_PATH.
Patch Information
This bug is NOT FIXED with Critical Patch Update July 2005 (CPU July 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue.
They recommend to migrate to Oracle Forms 10g because 9i and 10g are binary compatible.
History
24-sep-2003 Oracle secalert was informed
25-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
18-apr-2005 Oracle Forms Product Management contacted.
20-apr-2005 Email from Product Management that customers should migrate to Forms 10g. No patches for Forms 6i or 9i.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
19-jul-2005 Red-Database-Security published this advisory