COMMAND

	Oracle iAS Web Cache allows local user priviledge elevation

SYSTEMS AFFECTED

	 Oracle 9 iAS Web Cache

	 Tested on Oracle 9iAS version 1.0.2.2.1 installed on Sun Solaris 2.8

PROBLEM

	Mark Rowe and Pete Finnigan [www.pentest-limited.com] posted :
	

	It is possible for non privileged user to start Web Cache by invoking
	 $ORACLE_HOME/webcache/bin/webcached  and either create or overwrite any 

	\"oracle\" owned file as the result of the setuid bit \"oracle\". By
	starting  $ORACLE_HOME/webcache/bin/webcached  with the -A option it is also possible to run commands as the \"oracle\" user. This can be achieved by modification of local environment variables and Web Cache

	configuration files.
	

	As part of the functionality offered by Web  Cache  it  is  possible  to
	locally and remotely administer the  Web  Cache  application.  Normally,
	access is restricted (a username and password are required). The Web
	Cache administrator passwords are stored in  $ORACLE_HOME/webcache/webcache.xml . This file is readable by world and contains the \"encrypted\" password for the administrator accounts. The encryption was found to be weak. It may also be possible to gain access to the administrator accounts if the default passwords have not been changed.

SOLUTION

	 

	http://otn.oracle.com/deploy/security/pdf/webcache2.pdf