-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
              AUSCERT External Security Bulletin Redistribution
                             
                ESB-1999.169 -- ISS X-Force Security Advisory
    Multiple Root Compromise Vulnerabilities in Oracle Application Server
                              11 November 1999

===========================================================================

ISS X-Force has released the following advisory concerning multiple 
vulnerabilities in the Oracle Application Server (OAS).  OAS version 4.0 
for Solaris is affected by these vulnerabilities.  In addition, all OAS 
revisions prior to version 4.0.8 are also affected.  These vulnerabilities 
may allow local users to gain root access.  Oracle has supplied two 
workaround options to address these vulnerabilities.  These are detailed
in the advisory included below.

Please note: The vulnerabilities described in this advisory are *not* the
same as previously described in ESB-1999.122 -- "ISS X-Force Security 
Advisory Root Compromise Vulnerabilities in Oracle 8", published 30 August 
1999.


- --------------------------BEGIN INCLUDED TEXT--------------------

- ---------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
November 10, 1999

Multiple Root Compromise Vulnerabilities in Oracle Application Server 

Synopsis:

Internet Security Systems (ISS) X-Force has discovered multiple
vulnerabilities in the Oracle Application Server (OAS) that may lead to
local super-user access.  Attackers may use these vulnerabilities to destroy
root owned files as well as gain root access.  An account on the target
system is required to exploit these vulnerabilities.

Affected Versions:

ISS X-Force has determined that Oracle Application Server version 4.0 for
Solaris is affected by these vulnerabilities.  All revisions prior to
version 4.0.8 are affected.

Description:

Server Startup Vulnerabilities: The Oracle Application Server is owned by
the user 'oracle' in most configurations.  This includes the administrative
utilities to start, stop, and manipulate the servers.  Unprivileged users
may not bind servers to ports below 1024.  Oracle has made the 'owslctl'
utility root, which allows normal users to start the server on privileged
ports.  Attackers may take advantage of this design to compromise super-user
access.

Apache Startup Vulnerabilities: The Oracle Application Server offers web
administrators the option to install and configure HTTP listeners.  The
Oracle Management server supports both Netscape and Apache listeners in
addition to those provided by Oracle with the Application Server.  An
administrator choosing to install an Apache listener must supply a unique
name, a path to the server's executable, and a configuration file.  Once
supplied, a backend setuid root executable attempts to start the Apache
server.

An attacker with an unprivileged account on the target system may trick
'apchlctl' into executing any arbitrary command as root.  The Apache start
executable is also unsafe in handling write() calls and certain files
created will follow symbolic links.

Recommendations:

Oracle has supplied ISS X-Force with two potential fixes for the described
vulnerabilities. Oracle has informed ISS X-Force that fix 1, which is most
secure, will affect OAS failure recovery for Oracle Web Listener processes
running on port numbers < 1024.  Fix 2, which is less secure, requires that
the Oracle account be treated as a trusted account and customers should take
all precautions necessary to protect access to it.  ISS X-Force recommends
that Oracle Application Server administrators carefully evaluate these fixes
before they are applied.  

Oracle customers can find important information on this OAS security issue
on Oracle's web-based Metalink system at http://metalink.oracle.com.
Customers should reference document number 76484.1 under the advanced search
engine available on Metalink.  Customers can also find an alert under Oracle
Application Server on the Oracle Metalink system.

ISS X-Force recommends verifying the existence of the vulnerability through
the use of System Scanner.  For additional info please visit the following
URL: http://www.iss.net/prod/ss.php3

To download the checks for System Scanner Version 3 Solaris Agent go to the
following URL: http://www.iss.net/tech/flexchecks/


Credits:

These vulnerabilities were primarily researched by Dan Ingevaldson of the
ISS X-Force.  ISS X-Force would like to thank Oracle Corporation for their
response and handling of these vulnerabilities.


About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 800-776-2362.


Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent
of the X-Force.  If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.
 

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOCnRMjRfJiV99eG9AQHBAAQAu4h6zzPkGddTVs07GGcm7H6RFec9Iikl
WomJ0kuFyJhfKWpal/lVFOXBHJ/uWDEa/m/jYL7ewzvOEAwd3jrQsxQuiYXJs7zo
e/eRzwFwoHBVInaOHAqt8NpIn9oYWRYZNMLi0lFauDFdMwpHITXI4JtSkKV74RPN
cR/Mzi9pbbs=
=0aJp
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOEJrrCh9+71yA2DNAQHoZQQAljflY41hiSuyWCKm6OqXElw87LlRueM4
DAFOPcdl4WRNQsSqzvbL+ew/H3i5m86KZG2mkrbFy9xNWcscwQfnpfUQ6o99GhiS
JMCvRnd2NRV67b62MFqqzcVgC5kHn8lCeCxsHHRGj4gOr9+ZUauJYcZNkPK0RAYw
TaMeHuWPh4w=
=SrVW
-----END PGP SIGNATURE-----