|
__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle PL/SQL EXTPROC Database Vulnerability [Oracle Security Alert #29] February 27, 2002 20:00 GMT Number M-047 ______________________________________________________________________________ PROBLEM: It is possible for an attacker to fool the Oracle database server into loading arbitrary libraries and executing arbitrary functions without ever having to authenticate. PLATFORM: Platforms: All Unix, Linux, and Windows Oracle Database: Oracle9i, Oracle8i, and Oracle8 DAMAGE: Remote users can execute arbitrary code with privileges of the user running Oracle. SOLUTION: Apply workaround as prescribed below by Oracle. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote user can execute arbitrary code. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-047.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/ plsextproc_alert.pdf ______________________________________________________________________________ [***** Start Oracle Security Alert #29 *****] Oracle Security Alert #29 Dated: 06 Feburary 2002 Oracle PL/SQL EXTPROC in Oracle9i Database Description There is a potential security vulnerability in the Oracle PL/SQL package for External Procedures (EXTPROC) in Oracle9i Database. The EXTPROC functionality is installed by default in the Oracle Database installation if the “Typical Installation” option is chosen from the Oracle Universal Installer Menu. EXTPROC is used by Oracle’s PL/SQL package to make calls to the operating system. Utilizing an Oracle Listener configured with a TCP protocol address, a knowledgeable and malicious user can write an exploit that connects to an Oracle Database server’ s EXTPROC OS process without having to authenticate himself. As such, he will be able to make arbitrary calls to the underlying OS and potentially gain unauthorized administrative access to the machine hosting the Oracle Database server. Products affected Oracle Database (Oracle9i, Oracle8i, Oracle8) Platforms affected All (Unix, Linux, Windows) Workarounds Use the following workarounds for all releases of the Oracle Database server. If the PL/SQL EXTPROC functionality is not required, it is recommended that it be removed from the machine hosting the Oracle Database server. Edit both $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA (located in a Unix directory structure and its equivalent directory in Windows) and $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA (located in a Unix directory structure and its equivalent directory in Windows) and remove one of the following entries from each of the configuration files, depending upon the OS and the release of the Oracle Database server installed: * icache_extproc, or * PLSExtproc, or * extproc Also, delete the “extproc” executable from the machine hosting the Oracle Database server. If the PL/SQL EXTPROC functionality is required in your Oracle installation, there are 5 steps that must be taken in order to protect against the potential security vulnerability identified above. i. Create 2 Oracle Net Listeners, one for the Oracle database and one for PL/SQL EXTPROC. Do not specify any EXTPROC specific entries in the configuration files of the Oracle Listener for the database. Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address only. If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using. Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged OS user (e.g., “nobody” on Unix). On Windows platforms, run the Oracle Net Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM user. Give this user the OS privilege to “Logon as a service.” ii. If you have configured the Oracle Listener for PL/SQL EXTPROC with a TCP protocol address, modify the EXTPROC specific entry in $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for the new Oracle Listener. iii. If you have configured the Listener for PL/SQL EXTPROC with an TCP protocol address, ensure that the connections to this Oracle Listener can only originate from the hosts that need access to EXTPROC by doing the following. Use an Oracle Net feature called “valid node checking” to allow or deny access to Oracle server processes from network clients with specified IP addresses. Set the following parameters in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA ($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases) to enable the valid node checking feature: tcp.validnode_checking = YES tcp.invited_nodes = {list of IP addresses} tcp.excluded_nodes = {list of IP addresses} The first parameter turns on the valid node checking feature. The latter two parameters respectively specify the IP addresses that are permitted to make network connections or denied from making network connections to the Oracle server processes. Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle Listener. You can store this file in any directory other than the one in which the database LISTENER.ORA and SQLNET.ORA files are located. Copy the LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC into this other directory as well. Before starting the Oracle Listener for PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry parameter) to specify the directory in which the new configuration files for PL/SQL EXTPROC are stored. iv. Ensure that the file permissions on separate $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644. v. Change the password for any privileged database account or an ordinary user given administrative privileges in the database that has the ability to add packages or libraries and access system privileges in the database (such as CREATE ANY LIBRARY) to a strong, meaningful password, different from the default that is provided during the initial installation of Oracle. Lock and expire all other accounts that are not being used in the database. Read Section 2 of the “Oracle9i Security Checklist” available on OTN at http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf for details. Patch Information A solution to the potential security vulnerability identified above is being worked upon and will be available by default in a future release of Oracle9i Database. Check the Oracle Security Alerts web page on OTN at http://otn.oracle.com/deploy/security/alerts.htm periodically for an update regarding the availability of this solution. All other releases of the Oracle Database (up to Oracle9i, Release 9.0.1.x) must continue to use the workaround provided above. Credits Oracle Corporation thanks David Litchfield of Next Generation Security Software Limited for discovering and promptly bringing this potential security vulnerability to Oracle’s attention. [***** End Oracle Security Alert #29 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle Corporation and NGSSoftware Ltd. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability M-039: Microsoft Telnet Server Buffer Overflow Vulnerability M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions M-041: Microsoft Internet Explorer Cumulative Patch M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers M-046: Red Hat "ncurses" Vulnerability