Oracle Secure Backup uname Vulnerability
03/26/2020 
1040 
9784
DESCRIPTION:
Oracle Secure Backup uname Vulnerability
RESOLUTION:
Oracle Secure Backup uname Vulnerability (Jan 23, 2009)
The Oracle Secure Backup product is a centralized tape backup management solution. The server acts as a management host for network connected storage devices as well as multi-platform distributed hosts. Communication between the server and hosts is SSL encrypted. The server can be administered remotely through a web interface. The interface requires the administrator to login before any administrative tasks are performed. The login procedure is handled by the CGI script login.php. A normal request to the login.php script may look as follows:
GET /login.php?attempt=1"&uname=admin&passwd=test HTTP/1.1
The uname and passwd variable values are passed on to verification functions contained in another script, common.php, on the backend. These functions eventually call a shell utility on the server host using one of the supplied CGI values as arguments to the utility. Specifically, the following php command is generated and executed:
$rbtool_auth --gui -u $username lsuser -s $username
A command injection vulnerability exists in the aforementioned scripts. The flaw exists due to insufficient sanitization of user input before it is used in command line arguments to the shell utility. The value supplied in the CGI variable uname is not stripped of meta characters that may affect the execution of the shell utility. Meta characters, such as '&' and '|' can be used to inject unrelated and possibly malicious commands which get executed in the security context of the Oracle Secure Backup server. The following URL exploitation example is shown to demonstrate the problem:
https://vulnerable.host.com/login.php?attempt=1&uname=%26+calc.exe
The above example will translate to the following shell command:
rbtool_auth --gui -u & calc.exe lsuser -s & calc.exe
The vulnerability may be exploited by unauthenticated users to execute commands on the target host. This flaw allows for fairly complex exploitation attempts as there are many methods of encoding malicious strings in a URI. Successful exploitation may allow an attacker to take complete control over an affected system. SonicWall has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The following IPS signature has been released:
- 5361 - Oracle Secure Backup uname Command Injection PoC
Click
here to read more about this Security alert on SonicWall Security Centre.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
