Vulnerability Note VU#180147
Oracle 9i Database Server PL/SQL module allows remote command execution without authentication
Oracle Database Server allows remote users to execute system commands without authenticating.
Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating.
Oracle runs a "Listener" process that receives requests from clients and forks separate child processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named "extproc" ("extproc.exe" on Windows), which loads the library and executes functions as requested by the child process.
Remote users can execute arbitrary code with privileges of the user running Oracle, typically username "oracle" on Unix systems or the local "SYSTEM" user on Windows systems.
The CERT/CC is currently unaware of a practical solution to this problem.
1. Install a firewall and restrict access to port 1521 from outside the network.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle Corporation||Affected||06 Feb 2002||26 Feb 2002|
CVSS Metrics (Learn More)
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: Unknown
- Date Public: 06 Feb 2002
- Date First Published: 26 Feb 2002
- Date Last Updated: 03 Jul 2003
- Severity Metric: 20.25
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.