Oracle OPMN Format String Vulnerability
The Oracle Application Server is a multi-platform application development and deployment system. With every installation of the Application Server comes the Oracle Process Manager and Notification Server (OPMN), which, among other tasks, manages the starting, stopping and monitoring of all applications. The OPMN is an essential part of the Application Server.
The OPMN consists of three components, the Oracle Notification Server, Oracle Process Manager, and Process Manager Modules. Oracle Notification Server (ONS) is the transport mechanism for failure, recovery, startup, and other related notifications between components in Oracle Application Server. Oracle Process Manager (PM) is used to manage Oracle Application Server processes. Finally, the Oracle Process Manager Modules (PM Modules) implement Oracle Application Server component-specific process management functionality.
A format string vulnerability exists in the Oracle Application Server OPMN service. The specific vulnerability is due to insufficient validation of the URI part of incoming HTTP requests.
The vulnerable code directly uses the received URI string in a fprintf function call, without any prior sanitization. The said function is used to print the URI string to a local log file. However, if the URI string contains format specifiers such as "%s", "%x", or "%n" then the fprintf function will interpret them as such. In such cases, the execution of fprintf may result in arbitrary data being written to critical memory locations, thereby overwriting process critical data.
A carefully crafted URI string that is intended to exploit this flaw may result in process flow diversion which may consequently result in a system wide compromise.
SonicWALL has released an IPS signature that will detect and prevent generic attacks targeting this vulnerability. The following signature was created:
- 1436 - Oracle Application Server OPMN Service Format String Attack
This vulnerability has been assigned the CVE identifier CVE-2009-0993.