COMMAND

    Oracle WebDb

SYSTEMS AFFECTED

    Oracle

PROBLEM

    Michal  Zalewski  found  following.   Vulnerable  item  has   been
    identified  as  "Oracle   WebDb"  PL/SQL  proxy   (?),  which   is
    apparently used as  a part of  Oracle Internet Application  Server
    (IAS)  installations.    IAS  is   the  leading   dynamic-content.
    database connectivity  engine in  our small,  commercial WWW world
    Author's knowledge of this product is somewhat limited, and he  is
    not really interested in tracing where and when this component  is
    used in commercial solutions - it seems to be present in  numerous
    installations  around  the  globe  -  that's enough to report this
    problem here.

    First of all,  Michal located some  website running WebDb  engine.
    He will use (purely theoretical) example of www.<carcompany>.co.uk
    in his demonstration.  Any coincidence is purely accidential.

    Our favourite game  - sending stupid  (HTTP) queries to  "dynamic"
    part  of  their  webserver  (actually,  this  is  a  gate  to  IAS
    subsystem,  in  this  case  in  /somedir, you should be redirected
    there almost immediately - he used

        http://www.<cc>.co.uk/somedir/blahblah)

    causes WebDb error message, which looks this way:

        18/Dec/2000:02:53:51

        ORA-06550: line 5, column 2:
        PLS-00201: identifier 'BLAHBLAH' must be declared
        ORA-06550: line 5, column 2:
        PL/SQL: Statement ignored

          DAD name: something
          PROCEDURE  : BLAHBLAH
          URL        : http://www.<cc>.co.uk:80/somedir/blahblah?
          PARAMETERS :
          ===========

          ENVIRONMENT:
          ============
            SERVER_PORT=80
            SERVER_SOFTWARE=Oracle WebDb Listener 2.1
            /.../
            HTTP_USER_AGENT=Mozilla/4.61 [en] (X11; I; Linux 2.2.12-20 i686; Nav)
            /.../

    Got "404 Not  found" error?   No reason to  panic.  First  of all,
    check if it's  IAS for sure.   There are two  general cases -  IAS
    installations where single  configuration is possible  vs multiple
    DADs  might  be  declared  (in  first  case, you will usually find
    www.site.com/WebDB directory on the server, in second case,  there
    should be /pls directory).  In both cases, sometimes you will have
    to  determine  real  DAD  directory  by  sending bad parameters to
    dynamic contents, like

        http://www.<cc>.co.uk/somedir/realscript?aaaa=bbbb

    Error  message  will  show  you  the  correct  path (use something
    existing as 'realscript'):

        ORA-06550: line 7, column 2:
        PLS-00306: wrong number or types of arguments in call to 'REALSCRIPT'
        /.../
        VARIABLES IN FORM NOT IN PROCEDURE: AAAA

          DAD name: somedad
          /.../
            SCRIPT_PREFIX=/pls

    Then, you have to use /pls/somedad/ in your futher requests.   DAD
    name can be  found as well  using second hole  described below (be
    patient).

    Next attempt ("exit" instead of "blahblah"):

        ORA-06550: line 5, column 2:
        PLS-00376: illegal EXIT statement; it must appear inside a loop
        ORA-06550: line 5, column 2:
        PL/SQL: Statement ignored

    ...interesting, isn't it?  Is this software trying to  *INTERPRET*
    user-supplied data just  like any other  SQLish query?   Aghhhr...
    After playing  a little  bit more,  Michal found  a way  to bypass
    whitespaces within queries  (single ' '  is rejected, but  '\t' is
    passed, woow):

        http://www.<cc>.oo.uk/somedir/select%09*%09from%09(tablename)

        ORA-06550: line 5, column 2:
        PLS-00428: an INTO clause is expected in this SELECT statement

    Isn't that  BEAUTIFUL?   It is!   If something  is wrong,  it will
    instruct you on proper syntax!  We never saw something like  that.
    No, we won't make another step, building working SELECT to  browse
    thru databases (we do not want  to be sued by BigCarCompany).   Of
    course, SELECT isn't the  only one possibility... Script  kiddies,
    please read some  book on OAS/SQL  queries syntax.   Or better, do
    not try this at all.

    Well, any attacker can browse thru databases, execute any database
    access code etc.  If you're bank or you're having any confidential
    information within your databases, you *should* be scared.  Not to
    mention write privledges, which are essential in some systems!

    There are some even more dangerous problems.  For example, there's
    well-documented  "backdoor"  feature,   administrator  access   to
    www->db  proxy   without  authorization   (mentioned  in    Oracle
    documentation, but without any  warning messages like "disable  it
    immediately", and most of the installations are running with  this
    default  -  again,  www.oracle.com  is  one of the best examples).
    Most  of  the   sites  are  vulnerable   (try  /pls/admin_/?    or
    /WebDB/admin_/).  You have to use passwords for /WebDB, but you do
    not need it for /WebDB/admin_/...  Aghrrr... You do not believe it
    is documented?  See:

        http://www.orca.tv/pls/orcai/admin_/help/webdb.htm
        http://www.oraclefans.com/oraclefans/forum/web/messages/82.html
        http://www.google.com/search?q=admin_+webdb&btnG=Google+Search

    You can not only obtain DAD names, but completely reconfigure  web
    engine, change default page, table names, change passwords etc.

    There were some other  exploits on IAS by  ADM, IIRC, ask them  if
    you really want to know.

SOLUTION

    Oracle has released a patch for Oracle Internet Application Server
    which introduces a new configuration parameter in mod_plsql called
    exclusion_list.  This parameter can be used to disallow URLs  with
    specific formats  from being  passed to  mod_plsql; by  default it
    excludes URLs with special characters such as space, tab, newline,
    carriage return,  single quote,  and backslash.    This  patch  is
    available  (patch  #1554571)  on  Oracle's  Support  Services site
    (http://metalink.oracle.com/);  it  may  be  found by searching on
    patches  for   Oracle  Portal   or  Oracle9i   Application  Server
    Enterprise Edition.

    Oracle  recommends  that  this   patch  be  applied  to   Internet
    Application Server version  1.0.2.0.  Internet  Application Server
    version 1.0.2.1,  and future  versions, are  scheduled to  include
    the patch.

    Note also that the Apache listener in Oracle Internet  Application
    Server already allows  customers to define  "inclusion-only" rules
    in  the  plsql.conf  configuration  file.   This  can  be  used to
    prevent outside user access  to any PL/SQL procedure  except those
    for  which   outside  user   access  is   explicitly  granted   in
    plsql.conf.  These rules are case sensitive.