Advisory Details

July 21st, 2011

Oracle Secure Backup validate_login Command Injection Remote Code Execution Vulnerability

ZDI-11-238
ZDI-CAN-1165

CVE ID CVE-2011-2261
CVSS SCORE 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Oracle
AFFECTED PRODUCTS Secure Backup
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['11238']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Secure Backup. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the validate_login function defined within /apache/htdocts/php/common.php. The username parameter is passed with limited sanitization to an exec_qr call which can be abused to inject commands. The sanitation that does occur can limit the exploitation of this issue, however code execution can likely still be achieved. Successful attempts will yield remote code execution under the context of the apache server.

ADDITIONAL DETAILS Oracle has issued an update to correct this vulnerability. More details can be found at:
http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html
DISCLOSURE TIMELINE
  • 2011-04-01 - Vulnerability reported to vendor
  • 2011-07-21 - Coordinated public release of advisory
CREDIT Tenable Network Security
BACK TO ADVISORIES