Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Run any OS Command via unauthorized Oracle Forms

Name Run any OS Command via unauthorized Oracle Forms
Severity High Risk
Category OS command execution
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 25 August 2005 (V 1.02)
Cert VU# 894813
CVE CAN-2005-2372
Inital bug report
842 days ago


Details
Oracle Forms Services, a component of the Oracle Application Server, is Oracle's long-established technology to design and build enterprise applications. Oracle itself is using Oracle Forms for the E-Business Suite. Many large customers are using Oracle Forms for their enterprise applications.

Oracle Forms Services starts forms executables (*.fmx) from any directory and any user on the application server. These forms are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), SMB, Webutil, SAMBA, NFS, FTP, ...

By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user.


Affected Products
Internet Application Server
Oracle Application Server
Oracle Developer Suite

Patch Information
This bug is NOT FIXED with Critical Patch Update October 2005 (CPU October 2005).
It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue.
If you think you need a patch to protect your Oracle Application Server you should contact Oracle.


Testcase
1. Create or modify a simple forms module and add the following command to the
"WHEN_NEW_FORM_INSTANCE"-Trigger
Host('ls > forms_is_unsecure.txt' , NO_SCREEN);

2. Generate the forms executable (e.g. hacker.fmx) for the destination platform (e.g. Linux, Solaris, Windows, ...)

3. Copy the forms executable hacker.fmx to a directory on the Oracle Application Server
(e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, ...)

4. Run the form "hacker.fmx" as user Oracle and specify an absolute path for the forms executable
http://myserver.com:7779/forms90/f90servlet?form=/public/johndoe/hacker.fmx
or
http://myserver.com:7779/forms90/f90servlet?module=/tmp/hacker.fmx

5. The host command is executed as user Oracle (Unix) or user SYTEM (Windows).


Workaround for Oracle Forms 10g
Use the parameter restrictedURL in the configuration file formsweb.cfg. The parameter restrictedURL is a new feature in Forms 10g and
restricts the end user (or hacker) from overriding all the parameters listed in the restrictedURLparams.

Keep in mind that it is important to block the form and the module parameter.

[myFormsApp1]
form=....
restrictedURLparams=form,module


Workaround for Oracle Forms 6i/9i or 10g
Do not allow users to upload content to the Application Server (e.g. via SMB, Webdav, SAMBA, FTP, ...)

or

Use URLRewrite to block potential dangerous URLs with module or form parameter and absolute or relative paths
Block the following strings: "form=..", "module=..", "form=/", "module=/" , "form=c:\", "module=c:\", "form=d:\" ...

If you need different locations for your forms modules you could specify these locations in the FORMS90_PATH / FORMS60_PATH.


History
24-sep-2003 Oracle secalert was informed
25-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
18-apr-2005 Oracle Forms Product Management contacted.
20-apr-2005 Email from Product Management that customers should migrate to Forms 10g. No patches for Forms 6i or 9i.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
19-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
13-jan-2005 days since initial report updated


© 2006 by Red-Database-Security GmbH - last update 13-jan-2006

Oracle Forms

Oracle Forms, a component of the Oracle Developer Suite, is Oracle's long-established technology to design and build enterprise applications quickly and efficiently.

Oracle remains committed to the development of this technology, and to the ongoing release as a component of the Oracle platform. This continuing commitment to Forms technology enables you to leverage your existing investment by easily upgrading and integrating existing Oracle Forms applications to take advantage of web technologies and service oriented architectures (SOA).