Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure
From: Shatter <shatter () appsecinc com>
Date: Fri, 21 Jan 2011 15:35:21 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TeamSHATTER Security Advisory

January 20, 2011

Risk Level:
Low

Affected versions:
Oracle Database Server version 10gR2, 11gR1 and 11gR2

Remote exploitable:
No

Credits:
This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc.

Details:
It is possible to know the Session ID getting the directory contents from 
ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/images/dvcache
In this directory there are some .gif files that have a valid web session id in their names.
This directory has read permissions for everyone by default.

For example, file h1cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d61271722801217.gif
corresponds to session ID: cbd8d13de4ee4b81582d4fb826721da377b75e605866045fb1b415fc0ab428d6

These .gif files seem to be auto-generated when the 'Monitor' web page is accessed by an administrator from the Oracle 
Database Vault Administrator web console.

After getting a valid Session ID an attacker can impersonate the web application user and make web requests on his 
behalf.

Impact:
It is possible for a local user to know the Session ID of an administrator that is using the Oracle Database Vault 
Administrator web console and perform operations on the administrator's behalf.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this vulnerability. To narrow the time window when this vulnerability can be exploited you 
should Log off from Oracle Database Vault Administrator web console as soon as you finished using it and do not keep 
the session open until it expires.

Fix:
Apply Oracle Critical Patch Update January 2011 available at Oracle Metalink.

CVE:
CVE-2010-4420

Links:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.teamshatter.com/topics/security-advisory/advisory-oracle-database-vault-administrator-web-console-session-id-disclosure

Timeline:
Vendor Notification - 6/30/2010
Vendor Response - 6/30/2010
Fix - 1/18/2011
Public Disclosure - 1/20/2011

Application Security, Inc's database security solutions have helped over 2000 organizations secure their databases from 
all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and 
audit requirements.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently 
available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, 
indirect, or consequential loss or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)

iEYEARECAAYFAk057e8ACgkQRx91imnNIgEIHACdGiyDfMRocfKsH19kSGKQcqwq
ZCIAoNgGFemBsdxPAgOYRRBRM63CF/Fh
=aooB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • TeamSHATTER Security Advisory: Oracle Database Vault Administrator web console Session ID disclosure Shatter (Jan 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault