SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#307835

Oracle9i Application Server OWA_UTIL procedures expose sensitive information

Overview

Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.

I. Description

David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracle's PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information.

Quoting from Hackproofing:

    PL/SQL is Oracle’s Procedural Language extension to Structured Query Language. PL/SQL packages [applications] are essentially stored procedures in the database. The package exposes procedures that can be called directly, but also has functions that are called internally from within another package. The PL/SQL module for Apache extends the functionality of a web server, enabling the web server to execute these stored PL/SQL packages in the database. The best way to imagine the PL/SQL module is like a gateway into an Oracle database server over the Web using stored procedures.
The OWA_UTIL PL/SQL application exposes a number of procedures to the web via the Apache PL/SQL module. By default, anonymous web access is permitted to some of these procedures.

OWA_UTIL.signature returns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL.

OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the sys.link$ table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint is prevented by default.

OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns.

OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint.

The PL/SQL module provides a configuration parameter called exclusion_list. Procedures (as well as applications and schemas) specified in exclusion_list cannot be directly executed over the web. As noted above, Oracle9i AS v1.0.2.2 documentation states that web access to OWA_UTIL.showsource and OWA_UTIL.cellsprint is prevented by default.

The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.

II. Impact

An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.

III. Solution

Block or Restrict Access

Unauthenticated PUBLIC access to PL/SQL procedures and applications can be restricted using the exclusion_list parameter in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. This solution is described in Oracle Security Alert #28. For more information, read the section titled Protecting the PL/SQL Procedures Granted to PUBLIC in the Oracle iAS documentation under Using the PL/SQL Gateway.

Disable Vulnerable Service

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Systems Affected

VendorStatusDate NotifiedDate Updated
OracleVulnerable5-Mar-2002

References


http://www.nextgenss.com/papers/hpoas.pdf
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
http://www.securityfocus.com/bid/4294
http://www.iss.net/security_center/static/8451.php

Credit

The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

Date Public:2002-01-10
Date First Published:2002-03-11
Date Last Updated:2002-11-15
CERT Advisory:CA-2002-08
CVE-ID(s):CAN-2002-0560
NVD-ID(s):CAN-2002-0560
US-CERT Technical Alerts: 
Metric:10.26
Document Revision:42

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader