Oracle Database Server allows remote users to execute system commands without authenticating.
Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating.
Oracle runs a "Listener" process that receives requests from clients and forks separate child processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named "extproc" ("extproc.exe" on Windows), which loads the library and executes functions as requested by the child process.
Remote users can execute arbitrary code with privileges of the user running Oracle, typically username "oracle" on Unix systems or the local "SYSTEM" user on Windows systems.
The CERT/CC is currently unaware of a practical solution to this problem.
1. Install a firewall and restrict access to port 1521 from outside the network.
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-02-26|
|Date Last Updated:||2003-07-03 17:15 UTC|