search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Oracle 9i Database Server PL/SQL module allows remote command execution without authentication

Vulnerability Note VU#180147

Original Release Date: 2002-02-26 | Last Revised: 2003-07-03

Overview

Oracle Database Server allows remote users to execute system commands without authenticating.

Description

Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating.

Oracle runs a "Listener" process that receives requests from clients and forks separate child processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named "extproc" ("extproc.exe" on Windows), which loads the library and executes functions as requested by the child process.

Since the authentication is performed in the child process and not in the Listener, any process masquerading as an Oracle child process can ask the Listener to load any library and execute any command. The Listener assumes that the child process has performed authentication.

Furthermore, it is possible to establish connections to the Listener and extproc processes over sockets, allowing remote attackers to exploit this vulnerability.

This vulnerability is present in Oracle Database Server version 9i and may be present in other previous versions.

Impact

Remote users can execute arbitrary code with privileges of the user running Oracle, typically username "oracle" on Unix systems or the local "SYSTEM" user on Windows systems.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

1. Install a firewall and restrict access to port 1521 from outside the network.
2. Configure the Oracle Listener to run on a port other than 1521.
3. Remove PLSExtproc and icache_extproc functionality from Oracle if not needed, by deleting relevant lines from the "tnsnames.ora" and "listener.ora" files.
4. Implement trust node checking by adding the following lines to the "sqlnet.ora" file:

tcp.validnode_checking = YES
tcp.invited_nodes = (<comma-delimited list of allowed hostnames or IP addrs>)

5. On Windows, run Oracle processes under a low-privileged user account instead of under the local SYSTEM account.

Vendor Information

180147
Expand all

Oracle Corporation

Notified:  February 06, 2002 Updated:  February 26, 2002

Status

  Vulnerable

Vendor Statement

"Ok text. Please link to Oracle Alert #29 on http://otn.oracle.com/deploy/security/alerts.htm."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to David Litchfield for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 20.25
Date Public: 2002-02-06
Date First Published: 2002-02-26
Date Last Updated: 2003-07-03 17:15 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.