Oracle Secure Backup uname Vulnerability

January 23, 2009

The Oracle Secure Backup product is a centralized tape backup management solution. The server acts as a management host for network connected storage devices as well as multi-platform distributed hosts. Communication between the server and hosts is SSL encrypted. The server can be administered remotely through a web interface. The interface requires the administrator to login before any administrative tasks are performed. The login procedure is handled by the CGI script login.php. A normal request to the login.php script may look as follows:

GET /login.php?attempt=1"&uname=admin&passwd=test HTTP/1.1

The uname and passwd variable values are passed on to verification functions contained in another script, common.php, on the backend. These functions eventually call a shell utility on the server host using one of the supplied CGI values as arguments to the utility. Specifically, the following php command is generated and executed:

$rbtool_auth --gui -u $username lsuser -s $username

A command injection vulnerability exists in the aforementioned scripts. The flaw exists due to insufficient sanitization of user input before it is used in command line arguments to the shell utility. The value supplied in the CGI variable uname is not stripped of meta characters that may affect the execution of the shell utility. Meta characters, such as '&' and '|' can be used to inject unrelated and possibly malicious commands which get executed in the security context of the Oracle Secure Backup server. The following URL exploitation example is shown to demonstrate the problem:

The above example will translate to the following shell command:

rbtool_auth --gui -u & calc.exe lsuser -s & calc.exe

The vulnerability may be exploited by unauthenticated users to execute commands on the target host. This flaw allows for fairly complex exploitation attempts as there are many methods of encoding malicious strings in a URI. Successful exploitation may allow an attacker to take complete control over an affected system. SonicWALL has released a signature to detect and block specific exploitation attempts targeting this vulnerability. The following IPS signature has been released:

  • 5361 - Oracle Secure Backup uname Command Injection PoC