Oracle Web Listener Batch File Vulnerability
BID:1053
Info
Oracle Web Listener Batch File Vulnerability
| Bugtraq ID: | 1053 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 15 2000 12:00AM |
| Updated: | Mar 15 2000 12:00AM |
| Credit: | Discovered by the Cerberus Security Team. Publicized in a Cerberus Information Security Advisory (CISADV000315) released March 15, 2000. |
| Vulnerable: |
Oracle Web Listener 4.0 .x for NT |
| Not Vulnerable: | |
Discussion
Oracle Web Listener Batch File Vulnerability
Oracle Web Listener for NT makes use of various batch files as cgi scripts, which are stored in the /ows-bin/ directory by default.
Any of these batch files can be used to run arbitrary commands on the server, simply by appending '?&' and a command to the filename. The command will be run at the SYSTEM level. The name of a batch file is not even neccessary, as it will translate the '*' character and apply the appended string to every batch file in the directory. Moreover, UNC paths can be used to cause the server to download and execute remote code.
Oracle Web Listener for NT makes use of various batch files as cgi scripts, which are stored in the /ows-bin/ directory by default.
Any of these batch files can be used to run arbitrary commands on the server, simply by appending '?&' and a command to the filename. The command will be run at the SYSTEM level. The name of a batch file is not even neccessary, as it will translate the '*' character and apply the appended string to every batch file in the directory. Moreover, UNC paths can be used to cause the server to download and execute remote code.