Run any OS Command via unauthorized Oracle Forms
Oracle Forms Services, a component of the Oracle Application Server, is Oracle's long-established technology to design and build enterprise applications. Oracle itself is using Oracle Forms for the E-Business Suite. Many large customers are using Oracle Forms for their enterprise applications.
Oracle Forms Services starts forms executables (*.fmx) from any directory and any user on the application server. These forms are executed as user Oracle or System (Windows). An attacker which is able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav (Part of the Oracle Application Server), SMB, Webutil, SAMBA, NFS, FTP, ...
By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user.
Internet Application Server
Oracle Application Server
Oracle Developer Suite
This bug is NOT FIXED with Critical Patch Update October 2005 (CPU October 2005).
It seems that Oracle is NOT INTERESTED to fix this issue and provide patches for this issue.
If you think you need a patch to protect your Oracle Application Server you should contact Oracle.
1. Create or modify a simple forms module and add the following command to the
Host('ls > forms_is_unsecure.txt' , NO_SCREEN);
2. Generate the forms executable (e.g. hacker.fmx) for the destination platform (e.g. Linux, Solaris, Windows, ...)
3. Copy the forms executable hacker.fmx to a directory on the Oracle Application Server
(e.g. via SMB, file upload, Webdav, Samba, NFS, Webutil, FTP, ...)
4. Run the form "hacker.fmx" as user Oracle and specify an absolute path for the forms executable
5. The host command is executed as user Oracle (Unix) or user SYTEM (Windows).
Workaround for Oracle Forms 10g
Use the parameter restrictedURL in the configuration file formsweb.cfg. The parameter restrictedURL is a new feature in Forms 10g and
restricts the end user (or hacker) from overriding all the parameters listed in the restrictedURLparams.
Keep in mind that it is important to block the form and the module parameter.
Workaround for Oracle Forms 6i/9i or 10g
Do not allow users to upload content to the Application Server (e.g. via SMB, Webdav, SAMBA, FTP, ...)
Use URLRewrite to block potential dangerous URLs with module or form parameter and absolute or relative paths
Block the following strings: "form=..", "module=..", "form=/", "module=/" , "form=c:\", "module=c:\", "form=d:\" ...
If you need different locations for your forms modules you could specify these locations in the FORMS90_PATH / FORMS60_PATH.
24-sep-2003 Oracle secalert was informed
25-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
18-apr-2005 Oracle Forms Product Management contacted.
20-apr-2005 Email from Product Management that customers should migrate to Forms 10g. No patches for Forms 6i or 9i.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
19-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
13-jan-2005 days since initial report updated
© 2006 by Red-Database-Security GmbH - last update 13-jan-2006