Vulnerability Note VU#180147

Oracle 9i Database Server PL/SQL module allows remote command execution without authentication

Original Release date: 26 Feb 2002 | Last revised: 03 Jul 2003

Overview

Oracle Database Server allows remote users to execute system commands without authenticating.

Description

Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating.

Oracle runs a "Listener" process that receives requests from clients and forks separate child processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named "extproc" ("extproc.exe" on Windows), which loads the library and executes functions as requested by the child process.

Since the authentication is performed in the child process and not in the Listener, any process masquerading as an Oracle child process can ask the Listener to load any library and execute any command. The Listener assumes that the child process has performed authentication.

Furthermore, it is possible to establish connections to the Listener and extproc processes over sockets, allowing remote attackers to exploit this vulnerability.

This vulnerability is present in Oracle Database Server version 9i and may be present in other previous versions.

Impact

Remote users can execute arbitrary code with privileges of the user running Oracle, typically username "oracle" on Unix systems or the local "SYSTEM" user on Windows systems.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

1. Install a firewall and restrict access to port 1521 from outside the network.
2. Configure the Oracle Listener to run on a port other than 1521.
3. Remove PLSExtproc and icache_extproc functionality from Oracle if not needed, by deleting relevant lines from the "tnsnames.ora" and "listener.ora" files.
4. Implement trust node checking by adding the following lines to the "sqlnet.ora" file:

tcp.validnode_checking = YES
tcp.invited_nodes = (<comma-delimited list of allowed hostnames or IP addrs>)

5. On Windows, run Oracle processes under a low-privileged user account instead of under the local SYSTEM account.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected06 Feb 200226 Feb 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to David Litchfield for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 06 Feb 2002
  • Date First Published: 26 Feb 2002
  • Date Last Updated: 03 Jul 2003
  • Severity Metric: 20.25
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.