__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Oracle 8i TNS Listener Vulnerability
[Network Associates, Inc., Covert Labs Security Advisory #50]
July 9, 2001 22:00 GMT Number L-108
______________________________________________________________________________
PROBLEM: A buffer overflow vulnerability exists in the Oracle 8i TNS
Listener that allows any user to execute arbitrary code on the
database server under a security context that grants full
control of the database services and, on some platforms, full
control of the operating system. The Oracle 8i TNS Listener is
responsible for establishing connections between the Oracle
database server and a client application. The buffer overflow
occurs before any authentication occurs so any user who can
send packets to the listener port (TCP: 1521) on the server
could exploit this vulnerability.
PLATFORM: Oracle 8i Standard and Enterprise Editions Version 8.1.5,
8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris,
AIX, HP-UX and Tru64 Unix. All servers currently in production
already have the patch.
DAMAGE: Remote users can gain root access on an Oracle server.
SOLUTION: Obtain and install patches from Oracle
(http://metalink.oracle.com/). Note that you must have an
Oracle service account to obtain security patches.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. Remote users who can send packets to port
ASSESSMENT: 1521 on an Oracle 8i server can potentially run arbitrary code
on that server.
______________________________________________________________________________
[Begin Network Associates, Inc., Covert Labs Security Advisory #50]
Vulnerability in Oracle 8i TNS Listener
Network Associates, Inc.
COVERT Labs Security Advisory
June 27, 2001
RISK FACTOR: HIGH
Synopsis
========
The Oracle 8i TNS (Transparent Network Substrate)
Listener is responsible for establishing and maintaining
remote communications with Oracle database services. The
Listener is vulnerable to a buffer overflow condition
that allows remote execution of arbitrary code on the
database server under a security context that grants
full control of the database services and, on some
platforms, full control of the operating system. Because
the buffer overflow occurs prior to any authentication,
the listener is vulnerable regardless of any enabled
password protection.
This vulnerability has been designated as CVE candidate
CAN-2001-499.
RISK FACTOR: HIGH
Vulnerable Systems
==================
Oracle 8i Standard and Enterprise Editions Version
8.1.5, 8.1.6, 8.1.7 and previous versions for Windows,
Linux, Solaris, AIX, HP-UX and Tru64 Unix.
[ Back to top ]
Vulnerability Overview
======================
Client connection requests to a remote Oracle service
are arbitrated by the TNS Listener. The TNS Listener
accepts the client request and establishes a TNS
(Transparent Network Substrate) data connection between
the client and the service. A TNS connection allows
clients and servers to communicate over a network via a
common API, regardless of the network protocol used on
either end (TCP/IP, IPX, etc). The TNS Listener must be
running if queries are to be made by remote clients or
databases even if the network protocol is the same.
A default installation listens on TCP port 1521.
Listener administration and monitoring can be done by
issuing specific commands to the daemon. Typical
requests, such as "STATUS", "PING" and "SERVICES" return
a summary of listener configuration and connections.
Other requests like "TRC_FILE", "SAVE_CONFIG" and
"RELOAD" are used to change the configuration of the
listener. An exploitable buffer overflow occurs when any
of the command's arguments contains a very large amount
of data.
The TNS Listener daemon runs with "LocalSystem"
privileges under Windows NT/2000, and with the
privileges of the 'oracle' user under Unix. Exploitation
of this vulnerability will lead to the remote attacker
obtaining these respective privileges.
Detailed Information
====================
The overflow can be triggered with a one-packet command
conforming to the Net8 protocol. The client will send a
Type-1 (NSPTCN) packet containing the proper Net8
headers and malformed command string with embedded
arbitrary code ("shellcode"). Although many of the TNS
listener's administrative commands can be limited to
trusted users by enabling password authentication, this
vulnerability can nevertheless be exploited by using
unauthenticated commands such as "STATUS". It is
important to note that authentication is not enabled by
default.
The command string includes several arguments such as
"SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of
these can be overfilled with data to initiate the
overflow. Under both Windows and UNIX platforms, an
extended argument of several thousand bytes will induce
a stack overflow.
Under Windows, the stack overflow will facilitate the
execution of shellcode by manipulating the SEH
(Strunctured Exception Handling) mechanism. Since the
listener services runs as "LocalSystem", shellcode will
be executed in the same security context. Under UNIX,
the listener daemon will often be started by the
"oracle" user created during installation. If this is
the case, the attacker will gain the privileges of the
database administrator.
Resolution
==========
Oracle has produced a patch under bug number 1489683
which is available for download from the Oracle
Worldwide Support Services web site, Metalink
(http://metalink.oracle.com) for the platforms
identified in this advisory. The patch is in production
for all supported releases of the Oracle Database
Server.
Credits
=======
These vulnerabilities were discovered and documented by
Nishad Herath and Brock Tellier of the COVERT Labs at
PGP Security.
Contact Information
===================
For more information about the COVERT Labs at PGP
Security, visit our website at
http://www.pgp.com/research/covert/ or send e-mail to
covert@nai.com.
Legal Notice
============
The information contained within this advisory is
Copyright (C) 2001 Networks Associates Technology Inc.
It may be redistributed provided that no fee is charged
for distribution and that the advisory is not modified
in any way.
Network Associates and PGP are registered Trademarks of
Network Associates, Inc. and/or its affiliated companies
in the United States and/or other Countries. All other
registered and unregistered trademarks in this document
are the sole property of their respective owners.
[End Network Associates, Inc., Covert Labs Security Advisory #50]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Network Associates, Inc. for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-098: Microsoft Index Server ISAPI Extension Buffer Overflow
L-099: SGI PCP Pmpost Symlink Vulnerability
L-100: FrontPage Sub-Component Vulnerability
L-101: Microsoft LDAP Over SSL Password Vulnerability
L-102: HP OpenView Network Node Manager Security Vulnerability
L-103: Sun ypbind Buffer Overflow Vulnerability
L-104: SuSE Linux, xinetd Buffer Overflow
L-105: Samba Security Vulnerability
L-106: Cisco IOS HTTP Authorization Vulnerability
L-107: Microsoft Authentication Error in SMTP Service
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
