- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Oracle Secure Backup uname Vulnerability
03/26/2020 
1,040 People found this article helpful
42,445 Views
Description
Oracle Secure Backup uname Vulnerability
Resolution
Oracle Secure Backup uname Vulnerability (Jan 23, 2009)
The Oracle Secure Backup product is a centralized tape backup management solution. The server acts as a management host for network connected storage devices as well as multi-platform distributed hosts. Communication between the server and hosts is SSL encrypted. The server can be administered remotely through a web interface. The interface requires the administrator to login before any administrative tasks are performed. The login procedure is handled by the CGI script login.php. A normal request to the login.php script may look as follows:
GET /login.php?attempt=1"&uname=admin&passwd=test HTTP/1.1
The uname and passwd variable values are passed on to verification functions contained in another script, common.php, on the backend. These functions eventually call a shell utility on the server host using one of the supplied CGI values as arguments to the utility. Specifically, the following php command is generated and executed:
$rbtool_auth --gui -u $username lsuser -s $username
A command injection vulnerability exists in the aforementioned scripts. The flaw exists due to insufficient sanitization of user input before it is used in command line arguments to the shell utility. The value supplied in the CGI variable uname is not stripped of meta characters that may affect the execution of the shell utility. Meta characters, such as '&' and '|' can be used to inject unrelated and possibly malicious commands which get executed in the security context of the Oracle Secure Backup server. The following URL exploitation example is shown to demonstrate the problem:
https://vulnerable.host.com/login.php?attempt=1&uname=%26+calc.exe
The above example will translate to the following shell command:
rbtool_auth --gui -u & calc.exe lsuser -s & calc.exe
The vulnerability may be exploited by unauthenticated users to execute commands on the target host. This flaw allows for fairly complex exploitation attempts as there are many methods of encoding malicious strings in a URI. Successful exploitation may allow an attacker to take complete control over an affected system. SonicWall has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The following IPS signature has been released:
- 5361 - Oracle Secure Backup uname Command Injection PoC
Click here to read more about this Security alert on SonicWall Security Centre.
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO