Oracle 9iAS Default SOAP Configuration Unauthorized Application Deployment

high Nessus Plugin ID 11227

Synopsis

Arbitrary code can be run on the remote host.

Description

In a default installation of Oracle 9iAS v.1.0.2.2, it is possible to deploy or undeploy SOAP services without the need of any kind of credentials. This is due to SOAP being enabled by default after installation in order to provide a convenient way to use SOAP samples. However, this feature poses a threat to HTTP servers with public access since remote attackers can create soap services and then invoke them remotely. Since SOAP services can contain arbitrary Java code in Oracle 9iAS this means that an attacker can execute arbitrary code in the remote server.

Solution

Disable SOAP or the deploy/undeploy feature by editing $ORACLE_HOME/Apache/Jserver/etc/jserv.conf and removing/commenting the following four lines :

ApJServGroup group2 1 1 $ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties ApJServMount /soap/servlet ajpv12://localhost:8200/soap ApJServMount /dms2 ajpv12://localhost:8200/soap ApJServGroupMount /soap/servlet balance://group2/soap

Note that the port number might be different from 8200.
Also, you will need to change in the file $ORACLE_HOME/soap/werbapps/soap/WEB-INF/config/soapConfig.xml:
<osc:option name='autoDeploy' value='true' /> to <osc:option name='autoDeploy' value='false' />

See Also

http://www.oracle.com/technology/deploy/security/pdf/ias_soap_alert.pdf

http://www.nextgenss.com/papers/hpoas.pdf

Plugin Details

Severity: High

ID: 11227

File Name: oracle9i_soaprouter.nasl

Version: 1.21

Type: remote

Family: Databases

Published: 2/11/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Required KB Items: www/OracleApache

Exploit Ease: No exploit is required

Vulnerability Publication Date: 11/30/2001

Reference Information

CVE: CVE-2001-1371

BID: 4289

CWE: 264

CERT: 476619

CERT-CC: CA-2002-08