Date: 29 June 2001
References: ESB-2001.265 ESB-2001.273
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.266 -- COVERT-2001-04
Vulnerability in Oracle 8i TNS Listener
29 June 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle 8i Standard
Oracle 8i Enterprise
Vendor: Oracle
Operating System: Windows
Linux
Solaris
AIX
HP-UX
Tru64 Unix
Impact: Administrator Compromise
Execute Arbitrary Code/Commands
Access Required: Remote
Ref: ESB-2001.265
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________
Network Associates, Inc.
COVERT Labs Security Advisory
June 27, 2001
Vulnerability in Oracle 8i TNS Listener
COVERT-2001-04
______________________________________________________________________
o Synopsis
The Oracle 8i TNS (Transparent Network Substrate) Listener is
responsible for establishing and maintaining remote communications
with Oracle database services. The Listener is vulnerable to a buffer
overflow condition that allows remote execution of arbitrary code on
the database server under a security context that grants full control
of the database services and, on some platforms, full control of the
operating system. Because the buffer overflow occurs prior to any
authentication, the listener is vulnerable regardless of any enabled
password protection.
This vulnerability has been designated as CVE candidate CAN-2001-499.
RISK FACTOR: HIGH
______________________________________________________________________
o Vulnerable Systems
Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6,
8.1.7 and previous versions for Windows, Linux, Solaris, AIX,
HP-UX and Tru64 Unix.
______________________________________________________________________
o Vulnerability Overview
Client connection requests to a remote Oracle service are arbitrated
by the TNS Listener. The TNS Listener accepts the client request and
establishes a TNS (Transparent Network Substrate) data connection
between the client and the service. A TNS connection allows clients
and servers to communicate over a network via a common API,
regardless of the network protocol used on either end (TCP/IP, IPX,
etc). The TNS Listener must be running if queries are to be made by
remote clients or databases even if the network protocol is the same.
A default installation listens on TCP port 1521.
Listener administration and monitoring can be done by issuing
specific commands to the daemon. Typical requests, such as "STATUS",
"PING" and "SERVICES" return a summary of listener configuration and
connections. Other requests like "TRC_FILE", "SAVE_CONFIG" and
"RELOAD" are used to change the configuration of the listener. An
exploitable buffer overflow occurs when any of the command's
arguments contains a very large amount of data.
The TNS Listener daemon runs with "LocalSystem" privileges under
Windows NT/2000, and with the privileges of the 'oracle' user under
Unix. Exploitation of this vulnerability will lead to the remote
attacker obtaining these respective privileges.
______________________________________________________________________
o Detailed Information:
The overflow can be triggered with a one-packet command conforming
to the Net8 protocol. The client will send a Type-1 (NSPTCN) packet
containing the proper Net8 headers and malformed command string with
embedded arbitrary code ("shellcode"). Although many of the TNS
listener's administrative commands can be limited to trusted users
by enabling password authentication, this vulnerability can
nevertheless be exploited by using unauthenticated commands such as
"STATUS". It is important to note that authentication is not
enabled by default.
The command string includes several arguments such as "SERVICE",
"VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled
with data to initiate the overflow. Under both Windows and UNIX
platforms, an extended argument of several thousand bytes will
induce a stack overflow.
Under Windows, the stack overflow will facilitate the execution of
shellcode by manipulating the SEH (Strunctured Exception Handling)
mechanism. Since the listener services runs as "LocalSystem",
shellcode will be executed in the same security context. Under UNIX,
the listener daemon will often be started by the "oracle" user
created during installation. If this is the case, the attacker
will gain the privileges of the database administrator.
______________________________________________________________________
o Resolution
Oracle has produced a patch under bug number 1489683 which is
available for download from the Oracle Worldwide Support Services
web site, Metalink (http://metalink.oracle.com) for the platforms
identified in this advisory. The patch is in production for all
supported releases of the Oracle Database Server.
PGP Security's CyberCop Scanner risk-assessment tool has been
updated to detect this vulnerability.
______________________________________________________________________
o Credits
These vulnerabilities were discovered and documented by Nishad Herath
and Brock Tellier of the COVERT Labs at PGP Security.
______________________________________________________________________
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.pgp.com/covert or send e-mail to covert@nai.com
______________________________________________________________________
o Legal Notice
The information contained within this advisory is Copyright (C) 2001
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.
______________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBOzpL5dwDUegFyneEEQJkVwCfaSu5s4tIHqc7gaecy8bYEE4ADGEAn26n
AaiyVhQME0V+hG2oUBcgOX7T
=wbhH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOzytgCh9+71yA2DNAQHbUQQAm6hSCKCXrXRgRgmUkielPfx9cew3B22r
28WbOyaj+NDrwiIosf7g9YZYQpJAaSlwvXejTx6xa2XR7E2dPLXzy+L6Q9oexPxL
8pBBtrKwIhEVQqUNB17FhSH5cUECiCNYW+b1ZfSrQ5L7ZVj6Z4GNU9hXoaA5c/Nd
0isolZRYruc=
=Aoeb
-----END PGP SIGNATURE-----
|