OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark A. Rowe (PenTest) (mark.rowepentest-limited.com)
Date: Mon Jan 07 2002 - 07:50:28 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                               PenTest Limited
                           www.pentest-limited.com
                              Security Advisory

                    Vulnerabilities in Oracle9iAS Web Cache
     
    Author: Mark Rowe <mark.rowepentest-limited.com>
            Pete Finnigan <pete.finniganpentest-limited.com>
    Date: 7th January 2002
    Reference: ptl-2002-01

    ========================================================================
    Overview:

    This advisory describes multiple vulnerabilities in Oracle9iAS Web Cache
    that allow an attacker with local access to overwrite any files
    accessible to "oracle" user, gain "oracle" user privileges and capture
    the password of the Web Cache admin account.

    Description:

    It is possible for non privileged user to start Web Cache by invoking
    $ORACLE_HOME/webcache/bin/webcached and either create or overwrite any
    "oracle" owned file as the result of the setuid bit "oracle". By
    starting $ORACLE_HOME/webcache/bin/webcached with the -A option it is
    also possible to run commands as the "oracle" user. This can be achieved
    by modification of local environment variables and Web Cache
    configuration files.

    As part of the functionality offered by Web Cache it is possible to
    locally and remotely administer the Web Cache application. Normally,
    access is restricted (a username and password are required). The Web
    Cache administrator passwords are stored in $ORACLE_HOME/webcache/webcac
    he.xml. This file is readable by world and contains the "encrypted"
    password for the administrator accounts. The encryption was found to be
    weak. It may also be possible to gain access to the administrator
    accounts if the default passwords have not been changed.

    Test Environment:

    These vulnerabilities have been tested on Oracle 9iAS version 1.0.2.2.1
    installed on Sun Solaris 2.8. Other versions may also be vulnerable.

    Recommendations:

    Apply vendor patches.

    Vendor Status:

    The vendor has issued a bulletin and made patches available on this
    issue. See

    http://otn.oracle.com/deploy/security/pdf/webcache2.pdf

    ========================================================================