COMMAND
Oracle WebDb
SYSTEMS AFFECTED
Oracle
PROBLEM
Michal Zalewski found following. Vulnerable item has been
identified as "Oracle WebDb" PL/SQL proxy (?), which is
apparently used as a part of Oracle Internet Application Server
(IAS) installations. IAS is the leading dynamic-content.
database connectivity engine in our small, commercial WWW world
Author's knowledge of this product is somewhat limited, and he is
not really interested in tracing where and when this component is
used in commercial solutions - it seems to be present in numerous
installations around the globe - that's enough to report this
problem here.
First of all, Michal located some website running WebDb engine.
He will use (purely theoretical) example of www.<carcompany>.co.uk
in his demonstration. Any coincidence is purely accidential.
Our favourite game - sending stupid (HTTP) queries to "dynamic"
part of their webserver (actually, this is a gate to IAS
subsystem, in this case in /somedir, you should be redirected
there almost immediately - he used
http://www.<cc>.co.uk/somedir/blahblah)
causes WebDb error message, which looks this way:
18/Dec/2000:02:53:51
ORA-06550: line 5, column 2:
PLS-00201: identifier 'BLAHBLAH' must be declared
ORA-06550: line 5, column 2:
PL/SQL: Statement ignored
DAD name: something
PROCEDURE : BLAHBLAH
URL : http://www.<cc>.co.uk:80/somedir/blahblah?
PARAMETERS :
===========
ENVIRONMENT:
============
SERVER_PORT=80
SERVER_SOFTWARE=Oracle WebDb Listener 2.1
/.../
HTTP_USER_AGENT=Mozilla/4.61 [en] (X11; I; Linux 2.2.12-20 i686; Nav)
/.../
Got "404 Not found" error? No reason to panic. First of all,
check if it's IAS for sure. There are two general cases - IAS
installations where single configuration is possible vs multiple
DADs might be declared (in first case, you will usually find
www.site.com/WebDB directory on the server, in second case, there
should be /pls directory). In both cases, sometimes you will have
to determine real DAD directory by sending bad parameters to
dynamic contents, like
http://www.<cc>.co.uk/somedir/realscript?aaaa=bbbb
Error message will show you the correct path (use something
existing as 'realscript'):
ORA-06550: line 7, column 2:
PLS-00306: wrong number or types of arguments in call to 'REALSCRIPT'
/.../
VARIABLES IN FORM NOT IN PROCEDURE: AAAA
DAD name: somedad
/.../
SCRIPT_PREFIX=/pls
Then, you have to use /pls/somedad/ in your futher requests. DAD
name can be found as well using second hole described below (be
patient).
Next attempt ("exit" instead of "blahblah"):
ORA-06550: line 5, column 2:
PLS-00376: illegal EXIT statement; it must appear inside a loop
ORA-06550: line 5, column 2:
PL/SQL: Statement ignored
...interesting, isn't it? Is this software trying to *INTERPRET*
user-supplied data just like any other SQLish query? Aghhhr...
After playing a little bit more, Michal found a way to bypass
whitespaces within queries (single ' ' is rejected, but '\t' is
passed, woow):
http://www.<cc>.oo.uk/somedir/select%09*%09from%09(tablename)
ORA-06550: line 5, column 2:
PLS-00428: an INTO clause is expected in this SELECT statement
Isn't that BEAUTIFUL? It is! If something is wrong, it will
instruct you on proper syntax! We never saw something like that.
No, we won't make another step, building working SELECT to browse
thru databases (we do not want to be sued by BigCarCompany). Of
course, SELECT isn't the only one possibility... Script kiddies,
please read some book on OAS/SQL queries syntax. Or better, do
not try this at all.
Well, any attacker can browse thru databases, execute any database
access code etc. If you're bank or you're having any confidential
information within your databases, you *should* be scared. Not to
mention write privledges, which are essential in some systems!
There are some even more dangerous problems. For example, there's
well-documented "backdoor" feature, administrator access to
www->db proxy without authorization (mentioned in Oracle
documentation, but without any warning messages like "disable it
immediately", and most of the installations are running with this
default - again, www.oracle.com is one of the best examples).
Most of the sites are vulnerable (try /pls/admin_/? or
/WebDB/admin_/). You have to use passwords for /WebDB, but you do
not need it for /WebDB/admin_/... Aghrrr... You do not believe it
is documented? See:
http://www.orca.tv/pls/orcai/admin_/help/webdb.htm
http://www.oraclefans.com/oraclefans/forum/web/messages/82.html
http://www.google.com/search?q=admin_+webdb&btnG=Google+Search
You can not only obtain DAD names, but completely reconfigure web
engine, change default page, table names, change passwords etc.
There were some other exploits on IAS by ADM, IIRC, ask them if
you really want to know.
SOLUTION
Oracle has released a patch for Oracle Internet Application Server
which introduces a new configuration parameter in mod_plsql called
exclusion_list. This parameter can be used to disallow URLs with
specific formats from being passed to mod_plsql; by default it
excludes URLs with special characters such as space, tab, newline,
carriage return, single quote, and backslash. This patch is
available (patch #1554571) on Oracle's Support Services site
(http://metalink.oracle.com/); it may be found by searching on
patches for Oracle Portal or Oracle9i Application Server
Enterprise Edition.
Oracle recommends that this patch be applied to Internet
Application Server version 1.0.2.0. Internet Application Server
version 1.0.2.1, and future versions, are scheduled to include
the patch.
Note also that the Apache listener in Oracle Internet Application
Server already allows customers to define "inclusion-only" rules
in the plsql.conf configuration file. This can be used to
prevent outside user access to any PL/SQL procedure except those
for which outside user access is explicitly granted in
plsql.conf. These rules are case sensitive.