Oracle OPMN Format String Vulnerability (April 17, 2009)

By

The Oracle Application Server is a multi-platform application development and deployment system. With every installation of the Application Server comes the Oracle Process Manager and Notification Server (OPMN), which, among other tasks, manages the starting, stopping and monitoring of all applications. The OPMN is an essential part of the Application Server.

The OPMN consists of three components, the Oracle Notification Server, Oracle Process Manager, and Process Manager Modules. Oracle Notification Server (ONS) is the transport mechanism for failure, recovery, startup, and other related notifications between components in Oracle Application Server. Oracle Process Manager (PM) is used to manage Oracle Application Server processes. Finally, the Oracle Process Manager Modules (PM Modules) implement Oracle Application Server component-specific process management functionality.

A format string vulnerability exists in the Oracle Application Server OPMN service. The specific vulnerability is due to insufficient validation of the URI part of incoming HTTP requests.
The vulnerable code directly uses the received URI string in a fprintf function call, without any prior sanitization. The said function is used to print the URI string to a local log file. However, if the URI string contains format specifiers such as “%s”, “%x”, or “%n” then the fprintf function will interpret them as such. In such cases, the execution of fprintf may result in arbitrary data being written to critical memory locations, thereby overwriting process critical data.

A carefully crafted URI string that is intended to exploit this flaw may result in process flow diversion which may consequently result in a system wide compromise.

SonicWALL has released an IPS signature that will detect and prevent generic attacks targeting this vulnerability. The following signature was created:

  • 1436 – Oracle Application Server OPMN Service Format String Attack

This vulnerability has been assigned the CVE identifier CVE-2009-0993.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.