SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#180147

Oracle 9i Database Server PL/SQL module allows remote command execution without authentication

Overview

Oracle Database Server allows remote users to execute system commands without authenticating.

I. Description

Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating.

Oracle runs a "Listener" process that receives requests from clients and forks separate child processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named "extproc" ("extproc.exe" on Windows), which loads the library and executes functions as requested by the child process.

Since the authentication is performed in the child process and not in the Listener, any process masquerading as an Oracle child process can ask the Listener to load any library and execute any command. The Listener assumes that the child process has performed authentication.

Furthermore, it is possible to establish connections to the Listener and extproc processes over sockets, allowing remote attackers to exploit this vulnerability.

This vulnerability is present in Oracle Database Server version 9i and may be present in other previous versions.

II. Impact

Remote users can execute arbitrary code with privileges of the user running Oracle, typically username "oracle" on Unix systems or the local "SYSTEM" user on Windows systems.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem.

1. Install a firewall and restrict access to port 1521 from outside the network.
2. Configure the Oracle Listener to run on a port other than 1521.
3. Remove PLSExtproc and icache_extproc functionality from Oracle if not needed, by deleting relevant lines from the "tnsnames.ora" and "listener.ora" files.
4. Implement trust node checking by adding the following lines to the "sqlnet.ora" file:

tcp.validnode_checking = YES
tcp.invited_nodes = (<comma-delimited list of allowed hostnames or IP addrs>)

5. On Windows, run Oracle processes under a low-privileged user account instead of under the local SYSTEM account.

Systems Affected

VendorStatusDate NotifiedDate Updated
Oracle CorporationVulnerable26-Feb-2002

References


http://www.securityfocus.com/bid/4033
http://www.oracle.com/
http://www.nextgenss.com/advisories/oraplsextproc.txt
http://otn.oracle.com/deploy/security/alerts.htm

Credit

Thanks to David Litchfield for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:2002-02-06
Date First Published:2002-02-26
Date Last Updated:2003-07-03
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:20.25
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader