Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
Run any OS Command via unauthorized Oracle Forms
Details Oracle Forms Services, a component of the Oracle Application Server, is Oracle's long-established technology to design and build enterprise applications. Oracle itself is using Oracle Forms for the E-Business Suite. Many large customers are using Oracle Forms for their enterprise applications. Oracle Forms Services starts forms executables (*.fmx) from any directory and any user on the application server. These forms are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), SMB, Webutil, SAMBA, NFS, FTP, ... By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user. Affected Products Internet Application Server Oracle Application Server Oracle Developer Suite Patch Information This bug is NOT FIXED with Critical Patch Update October 2005 (CPU October 2005). It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue. If you think you need a patch to protect your Oracle Application Server you should contact Oracle. Testcase 1. Create or modify a simple forms module and add the following command to the "WHEN_NEW_FORM_INSTANCE"-Trigger Host('ls > forms_is_unsecure.txt' , NO_SCREEN); 2. Generate the forms executable (e.g. hacker.fmx) for the destination platform (e.g. Linux, Solaris, Windows, ...) 3. Copy the forms executable hacker.fmx to a directory on the Oracle Application Server (e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, ...) 4. Run the form "hacker.fmx" as user Oracle and specify an absolute path for the forms executable http://myserver.com:7779/forms90/f90servlet?form=/public/johndoe/hacker.fmx or http://myserver.com:7779/forms90/f90servlet?module=/tmp/hacker.fmx 5. The host command is executed as user Oracle (Unix) or user SYTEM (Windows). Workaround for Oracle Forms 10g Use the parameter restrictedURL in the configuration file formsweb.cfg. The parameter restrictedURL is a new feature in Forms 10g and restricts the end user (or hacker) from overriding all the parameters listed in the restrictedURLparams. Keep in mind that it is important to block the form and the module parameter. [myFormsApp1] form=.... restrictedURLparams=form,module Workaround for Oracle Forms 6i/9i or 10g Do not allow users to upload content to the Application Server (e.g. via SMB, Webdav, SAMBA, FTP, ...) or Use URLRewrite to block potential dangerous URLs with module or form parameter and absolute or relative paths Block the following strings: "form=..", "module=..", "form=/", "module=/" , "form=c:\", "module=c:\", "form=d:\" ... If you need different locations for your forms modules you could specify these locations in the FORMS90_PATH / FORMS60_PATH. History 24-sep-2003 Oracle secalert was informed 25-sep-2003 Bug confirmed 15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005 Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK. 18-apr-2005 Oracle Forms Product Management contacted. 20-apr-2005 Email from Product Management that customers should migrate to Forms 10g. No patches for Forms 6i or 9i. 12-jul-2005 Oracle published CPU July 2005 without fixing this issue 19-jul-2005 Red-Database-Security published this advisory 21-jul-2005 Cert VU# and affected products added 25-aug-2005 CVE number added 13-jan-2005 days since initial report updated © 2006 by Red-Database-Security GmbH - last update 13-jan-2006 |
Oracle Forms |