TUCoPS :: Oracle :: ciacl108.txt

CIAC L-108 - Oracle 8i TNS Listener Vulnerability


             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Oracle 8i TNS Listener Vulnerability
         [Network Associates, Inc., Covert Labs Security Advisory #50]

July 9, 2001 22:00 GMT                                            Number L-108
______________________________________________________________________________
PROBLEM:       A buffer overflow vulnerability exists in the Oracle 8i TNS 
               Listener that allows any user to execute arbitrary code on the 
               database server under a security context that grants full 
               control of the database services and, on some platforms, full 
               control of the operating system. The Oracle 8i TNS Listener is 
               responsible for establishing connections between the Oracle 
               database server and a client application. The buffer overflow 
               occurs before any authentication occurs so any user who can 
               send packets to the listener port (TCP: 1521) on the server 
               could exploit this vulnerability. 
PLATFORM:      Oracle 8i Standard and Enterprise Editions Version 8.1.5, 
               8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, 
               AIX, HP-UX and Tru64 Unix. All servers currently in production 
               already have the patch. 
DAMAGE:        Remote users can gain root access on an Oracle server. 
SOLUTION:      Obtain and install patches from Oracle 
               (http://metalink.oracle.com/). Note that you must have an 
               Oracle service account to obtain security patches. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Remote users who can send packets to port 
ASSESSMENT:    1521 on an Oracle 8i server can potentially run arbitrary code 
               on that server. 
______________________________________________________________________________

[Begin Network Associates, Inc., Covert Labs Security Advisory #50]

Vulnerability in Oracle 8i TNS Listener 

Network Associates, Inc.
COVERT Labs Security Advisory
June 27, 2001 

RISK FACTOR: HIGH 

Synopsis
========

The Oracle 8i TNS (Transparent Network Substrate) 
Listener is responsible for establishing and maintaining 
remote communications with Oracle database services. The 
Listener is vulnerable to a buffer overflow condition 
that allows remote execution of arbitrary code on the 
database server under a security context that grants 
full control of the database services and, on some 
platforms, full control of the operating system. Because 
the buffer overflow occurs prior to any authentication, 
the listener is vulnerable regardless of any enabled 
password protection. 

This vulnerability has been designated as CVE candidate 
CAN-2001-499. 

RISK FACTOR: HIGH 


Vulnerable Systems
==================

Oracle 8i Standard and Enterprise Editions Version 
8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, 
Linux, Solaris, AIX, HP-UX and Tru64 Unix. 
[ Back to top ]

Vulnerability Overview
======================

Client connection requests to a remote Oracle service 
are arbitrated by the TNS Listener. The TNS Listener 
accepts the client request and establishes a TNS 
(Transparent Network Substrate) data connection between 
the client and the service. A TNS connection allows 
clients and servers to communicate over a network via a 
common API, regardless of the network protocol used on 
either end (TCP/IP, IPX, etc). The TNS Listener must be 
running if queries are to be made by remote clients or 
databases even if the network protocol is the same.

A default installation listens on TCP port 1521.

Listener administration and monitoring can be done by 
issuing specific commands to the daemon. Typical 
requests, such as "STATUS", "PING" and "SERVICES" return 
a summary of listener configuration and connections. 
Other requests like "TRC_FILE", "SAVE_CONFIG" and 
"RELOAD" are used to change the configuration of the 
listener. An exploitable buffer overflow occurs when any 
of the command's arguments contains a very large amount 
of data. 

The TNS Listener daemon runs with "LocalSystem" 
privileges under Windows NT/2000, and with the 
privileges of the 'oracle' user under Unix. Exploitation 
of this vulnerability will lead to the remote attacker 
obtaining these respective privileges. 

Detailed Information
====================

The overflow can be triggered with a one-packet command 
conforming to the Net8 protocol. The client will send a 
Type-1 (NSPTCN) packet containing the proper Net8 
headers and malformed command string with embedded 
arbitrary code ("shellcode"). Although many of the TNS 
listener's administrative commands can be limited to 
trusted users by enabling password authentication, this 
vulnerability can nevertheless be exploited by using 
unauthenticated commands such as "STATUS". It is 
important to note that authentication is not enabled by 
default.

The command string includes several arguments such as 
"SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of 
these can be overfilled with data to initiate the 
overflow. Under both Windows and UNIX platforms, an 
extended argument of several thousand bytes will induce 
a stack overflow.

Under Windows, the stack overflow will facilitate the 
execution of shellcode by manipulating the SEH 
(Strunctured Exception Handling) mechanism. Since the 
listener services runs as "LocalSystem", shellcode will 
be executed in the same security context. Under UNIX, 
the listener daemon will often be started by the 
"oracle" user created during installation. If this is 
the case, the attacker will gain the privileges of the 
database administrator. 

Resolution
==========

Oracle has produced a patch under bug number 1489683 
which is available for download from the Oracle 
Worldwide Support Services web site, Metalink 
(http://metalink.oracle.com) for the platforms 
identified in this advisory. The patch is in production 
for all supported releases of the Oracle Database 
Server. 

Credits
=======

These vulnerabilities were discovered and documented by 
Nishad Herath and Brock Tellier of the COVERT Labs at 
PGP Security. 

Contact Information
===================

For more information about the COVERT Labs at PGP 
Security, visit our website at 
http://www.pgp.com/research/covert/ or send e-mail to 
covert@nai.com. 

Legal Notice
============

The information contained within this advisory is 
Copyright (C) 2001 Networks Associates Technology Inc. 
It may be redistributed provided that no fee is charged 
for distribution and that the advisory is not modified 
in any way. 

Network Associates and PGP are registered Trademarks of 
Network Associates, Inc. and/or its affiliated companies 
in the United States and/or other Countries. All other 
registered and unregistered trademarks in this document 
are the sole property of their respective owners. 

[End Network Associates, Inc., Covert Labs Security Advisory #50]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Network Associates, Inc. for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-098: Microsoft Index Server ISAPI Extension Buffer Overflow
L-099: SGI PCP Pmpost Symlink Vulnerability
L-100: FrontPage Sub-Component Vulnerability
L-101: Microsoft LDAP Over SSL Password Vulnerability
L-102: HP OpenView Network Node Manager Security Vulnerability
L-103: Sun ypbind Buffer Overflow Vulnerability
L-104: SuSE Linux, xinetd Buffer Overflow
L-105: Samba Security Vulnerability
L-106: Cisco IOS HTTP Authorization Vulnerability
L-107: Microsoft Authentication Error in SMTP Service


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH