Pentest Security Advisory : PTL-2002-01
Vulnerabilities in Oracle9iAS Web Cache
This advisory describes multiple vulnerabilities in Oracle9iAS Web Cache that allow an attacker with local access to overwrite any files accessible to "oracle" user, gain "oracle" user privileges and capture the password of the Web Cache admin account.
It is possible for non privileged user to start Web Cache by invoking $ORACLE_HOME/webcache/bin/webcached and either create or overwrite any "oracle" owned file as the result of the setuid bit "oracle". By starting $ORACLE_HOME/webcache/bin/webcached with the -A option it is also possible to run commands as the "oracle" user. This can be achieved by modification of local environment variables and Web Cache configuration files.
As part of the functionality offered by Web Cache it is possible to locally and remotely administer the Web Cache application. Normally, access is restricted (a username and password are required). The Web Cache administrator passwords are stored in $ORACLE_HOME/webcache/webcache.xml. This file is readable by world and contains the "encrypted" password for the administrator accounts. The encryption was found to be weak. It may also be possible to gain access to the administrator accounts if the default passwords have not been changed.
These vulnerabilities have been tested on Oracle 9iAS version 220.127.116.11.1 installed on Sun Solaris 2.8. Other versions may also be vulnerable.
Apply vendor patches.
The vendor has issued a bulletin and made patches available on this
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.