From xforce@iss.net Thu Nov 11 17:34:38 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 10 Nov 1999 15:13:58 -0500 (EST) Subject: ISSalert: ISS Security Advisory: Multiple Root Compromise Vulnerabilities in Oracle Application Server TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory November 10, 1999 Multiple Root Compromise Vulnerabilities in Oracle Application Server Synopsis: Internet Security Systems (ISS) X-Force has discovered multiple vulnerabilities in the Oracle Application Server (OAS) that may lead to local super-user access. Attackers may use these vulnerabilities to destroy root owned files as well as gain root access. An account on the target system is required to exploit these vulnerabilities. Affected Versions: ISS X-Force has determined that Oracle Application Server version 4.0 for Solaris is affected by these vulnerabilities. All revisions prior to version 4.0.8 are affected. Description: Server Startup Vulnerabilities: The Oracle Application Server is owned by the user 'oracle' in most configurations. This includes the administrative utilities to start, stop, and manipulate the servers. Unprivileged users may not bind servers to ports below 1024. Oracle has made the 'owslctl' utility root, which allows normal users to start the server on privileged ports. Attackers may take advantage of this design to compromise super-user access. Apache Startup Vulnerabilities: The Oracle Application Server offers web administrators the option to install and configure HTTP listeners. The Oracle Management server supports both Netscape and Apache listeners in addition to those provided by Oracle with the Application Server. An administrator choosing to install an Apache listener must supply a unique name, a path to the server's executable, and a configuration file. Once supplied, a backend setuid root executable attempts to start the Apache server. An attacker with an unprivileged account on the target system may trick 'apchlctl' into executing any arbitrary command as root. The Apache start executable is also unsafe in handling write() calls and certain files created will follow symbolic links. Recommendations: Oracle has supplied ISS X-Force with two potential fixes for the described vulnerabilities. Oracle has informed ISS X-Force that fix 1, which is most secure, will affect OAS failure recovery for Oracle Web Listener processes running on port numbers < 1024. Fix 2, which is less secure, requires that the Oracle account be treated as a trusted account and customers should take all precautions necessary to protect access to it. ISS X-Force recommends that Oracle Application Server administrators carefully evaluate these fixes before they are applied. Oracle customers can find important information on this OAS security issue on Oracle's web-based Metalink system at http://metalink.oracle.com. Customers should reference document number 76484.1 under the advanced search engine available on Metalink. Customers can also find an alert under Oracle Application Server on the Oracle Metalink system. ISS X-Force recommends verifying the existence of the vulnerability through the use of System Scanner. For additional info please visit the following URL: http://www.iss.net/prod/ss.php3 To download the checks for System Scanner Version 3 Solaris Agent go to the following URL: http://www.iss.net/tech/flexchecks/ Credits: These vulnerabilities were primarily researched by Dan Ingevaldson of the ISS X-Force. ISS X-Force would like to thank Oracle Corporation for their response and handling of these vulnerabilities. About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOCnRMjRfJiV99eG9AQHBAAQAu4h6zzPkGddTVs07GGcm7H6RFec9Iikl WomJ0kuFyJhfKWpal/lVFOXBHJ/uWDEa/m/jYL7ewzvOEAwd3jrQsxQuiYXJs7zo e/eRzwFwoHBVInaOHAqt8NpIn9oYWRYZNMLi0lFauDFdMwpHITXI4JtSkKV74RPN cR/Mzi9pbbs= =0aJp -----END PGP SIGNATURE-----