Vulnerability Note VU#307835

Oracle9i Application Server OWA_UTIL procedures expose sensitive information

Original Release date: 11 Mar 2002 | Last revised: 15 Nov 2002

Overview

Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.

Description

David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracle's PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information.

Quoting from Hackproofing:

    PL/SQL is Oracle’s Procedural Language extension to Structured Query Language. PL/SQL packages [applications] are essentially stored procedures in the database. The package exposes procedures that can be called directly, but also has functions that are called internally from within another package. The PL/SQL module for Apache extends the functionality of a web server, enabling the web server to execute these stored PL/SQL packages in the database. The best way to imagine the PL/SQL module is like a gateway into an Oracle database server over the Web using stored procedures.
The OWA_UTIL PL/SQL application exposes a number of procedures to the web via the Apache PL/SQL module. By default, anonymous web access is permitted to some of these procedures.

OWA_UTIL.signature returns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL.

OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the sys.link$ table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns.

OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint.

The PL/SQL module provides a configuration parameter called exclusion_list. Procedures (as well as applications and schemas) specified in exclusion_list cannot be directly executed over the web. As noted above, Oracle9i AS v1.0.2.2 documentation states that web access to OWA_UTIL.showsource and OWA_UTIL.cellsprint is prevented by default.

The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.

Impact

An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.

Solution

Block or Restrict Access
Unauthenticated PUBLIC access to PL/SQL procedures and applications can be restricted using the exclusion_list parameter in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. This solution is described in Oracle Security Alert #28. For more information, read the section titled Protecting the PL/SQL Procedures Granted to PUBLIC in the Oracle iAS documentation under Using the PL/SQL Gateway.


Disable Vulnerable Service

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
OracleAffected02 Mar 200205 Mar 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-0560
  • CERT Advisory: CA-2002-08
  • Date Public: 10 Jan 2002
  • Date First Published: 11 Mar 2002
  • Date Last Updated: 15 Nov 2002
  • Severity Metric: 10.26
  • Document Revision: 42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.