Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 021

Remote Format String Vulnerability within the Oracle OPMN Daemon

Vulnerability Type / Importance: Remote Code Execution / Critical

Problem Discovered: 7 June 2006

Vendor Contacted: 7 June 2006

Advisory Published: 16 January 2007

Abstract:

A vulnerability in the Oracle OPMN daemon could allow a remote attacker to execute arbitrary code.

Description:

A remotely exploitable format string vulnerability in the Oracle OPMN daemon could be exploited resulting in the ability to execute arbitrary code with the privilege level of the ‘oracle’ account.

Technical Details:

The OPMN daemon that listens on TCP port 6003 accepts HTTP POST requests in order to perform functions such as starting or stopping service components e.g. "HTTP_Server" or "WebCache". However, the logging function within the daemon contains a format string vulnerability so that when a log entry is created in the file ons.log, format specifiers are interpreted within any of the data sent to the socket.

An example is shown below:

$ telnet 192.168.30.1 6003
Trying 192.168.30.1...
Connected to oracle1 (192.168.30.1).
Escape character is '^]'.
GET /%x%x HTTP/1.0
Connection closed by foreign host.

The above request results in the following log entry on ons.log:

06/06/07 17:44:28 [2] Connection 0,192.168.30.1,6003 message out of sync:

GET /817a3f02 HTTP/1.0
 
By creating a specially crafted HTTP request and sending it to the OPMN service it would potentially be possible to execute arbitrary code on the server, which would run with the privilege level of the 'oracle' account.

Vendor & Patch Information:

Oracle has developed a patch to address this vulnerability that can be downloaded from the following location:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

Workaround:

IRM is not aware of any workaround that will resolve this vulnerability.

Tested Versions:

The OPMN daemon tested is running on an Oracle Enterprise Grid Console server version 10.2.0.1

Credits:

Research & Advisory: G Chawdhary and A Davis

Disclaimer:

All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.