Date: 07 January 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0016 -- NGSSoftware Insight Security Research Advisories
Ten vulnerabilities in Oracle Database and Oracle Application Server
7 January 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 8i, 9i and 10g
Oracle Application Server 9i and 10g
Publisher: NGSSoftware
Operating System: UNIX variants
Linux variants
Windows
Mac OS X
IBM z/OS
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Access Confidential Data
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1338 CAN-2004-1339
Original Bulletin: http://www.nextgenss.com/advisory.htm
Comment: Patches fixing these vulnerabilities were released by Oracle in
August 2004.
- --------------------------BEGIN INCLUDED TEXT--------------------
Researchers at NGSSoftware have discovered multiple critical vulnerabilities
in Oracle Database Server and Oracle Application Server. Versions affected
include
Oracle Database 10g Release 1 Version 10.1.0.2
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
The vulnerabilities range from buffer overflow issues, PL/SQL Injection,
trigger abuse, character set conversion bugs and denial of service. On the
31st of August 2004 Oracle released a set of patches to address all of these
issues (and for other flaws found by other researchers.) This patch set can
be downloaded from the Metalink website - http://metalink.oracle.com/.
- -------------------------------------------------------------------------------
Name: Oracle 10g extproc buffer overflow
Systems Affected: Oracle 10g on all operating systems
Severity: High Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004A
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004.txt
Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:
http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt
Extproc has been found to suffer from another buffer overflow vulnerability.
Details
*******
Oracle 10g imposes a length limit on the library name to be loaded by
extproc. However, this length limit can be evaded by passing environment
variables as part of the library name. Later on the environment variable is
expanded allowing the buffer overflow to be exploited. For example '$PATH'
is 5 characters long; this passes the length check. However, when expanded
'$PATH' becomes many more characters.
Exploitation depends upon the system setup but by trial and error a balance
can be found allowing arbitrary code to be executed. No user ID or password
is required to exploit this vulnerability.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g/9i extproc directory traversal
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004B
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004B.txt
Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:
http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt
Extproc has been found to suffer from a directory traversal problem that
allows attackers access to arbitray libraries.
Details
*******
extproc verifies that the library to be loaded is in the $ORACLE_HOME\bin
directory. This is to ensure that libraries outside of this directory cannot
be loaded. However, there exists a directory traversal issue whereby an
attacker can break outside of this constraint. This can allow attackers to
access libraries such as libc and msvcrt.dll. By calling the system()
function attackers can run arbitrary OS commands.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g/9i extproc local command execution
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004C
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt
Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:
http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt
Extproc is intended only to accept requests from the Oracle database server
but local users can still execute commands bypassing this restriction.
Details
*******
No authentication takes place when extproc is asked to load a library and
execute a function. This allows local users to run commands as the Oracle
user (oracle on unix and system on Windows). If configured properly, under
10g, extproc runs as nobody on *nix systems so the risk posed here is
minimal but still present.
Fix Information
***************
Oracle has responded saying this is "expected behaviour" and they are not
going to fix it. NGSSoftware believes this does pose a security risk.
NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
used to assess whether your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g clear text passwords
Systems Affected: Oracle 10g on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004D
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004D.txt
Description
***********
The 10g Oracle database server may have passwords in clear text in world
readable files.
Details
*******
The password for the SYSMAN account (a DBA) can be found in
$ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world
readable.
Also, on installing Oracle 10g if the installer supplies the same password
for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an
exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB
install when the passwords are set for SYSMAN and DBSNMP. This error is
logged to the "postDBCreation.log" logging the password.
alter user SYSMAN identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option
alter user DBSNMP identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option
This file is world readable giving attackers access to what the passwords
are for these powerful accounts. Please note that no error is generated for
SYS or SYSTEM and these accounts are assigned the password f00bar!!. The
other accounts are given their default passwords.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle ISQL*Plus load.uix file access
Systems Affected: Oracle 10g AS on all operating systems
Severity: Medium
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004E
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004E.txt
Description
***********
The 10g Oracle Application Server installs ISQL*Plus. Once logged in, an
attacker can use load.uix to read files on the server.
Details
*******
- From isqlplus it is possible to load a script and execute it. On navigating
to http://server:5560/isqlplus/load.uix two input boxes are displayed - one
called "URL" and the other "File". By entering in a full path an attacker
can load and read any file that the oracle user can read. For example
"/etc/passwd" on Linux or "C:\boot.ini" on windows. An attacker can read the
the files mentioned in #NISR2122004D to gain the privileges of SYSMAN.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g TNS Listener DoS
Systems Affected: Oracle 10g on all operating systems
Severity: High risk on high availability systems else low
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004F
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004F.txt
Description
***********
The 10g Oracle TNS Listener is vulnerable to a denial of service
vulnerability.
Details
*******
This occurs by sending the Listener a malformed service_register_NSGR
request. Byte 182 of the request is used as an offset to a pointer; in a
normal request this byte's value is 5 but by setting it to say 0xCC an
attacker can get the Listener to access (read) an arbitrary value which
causes the Listener to access violate/core dump.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g character conversion bug
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004G
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt
Description
***********
Due to character conversion problems in Oracle 10g with Oracle's Application
server it is possible to bypass pl/sql exclusions and gain access to the
database server as SYS.
Details
*******
There is a character conversion bug in 10g that can lead to a compromised
backend database server. Both Windows and Linux are affected. Consider the
following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
Windows) using the PL/SQL module feeding into a 10g box running on Windows
and a 10g box running on Linux. The character set for both instances is
WE8ISO8859P1. When the app server receives a request of
http://server/pls/windad/%FF%FF%FF%FF%FF
the %FFs are converted to the byte 0xFF (as expected) but sniffing the
database response to the app server we get
"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be
declared....."
10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
is uppercase Y. Due to this conversion an attacker can request
http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
e+from+all_users
and gain access to "banned" and dangerous procedures. The character set for
the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.
If, however, we set the character set on the HTTP Server to
ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to
0x59 but if
http://server/pls/windad/%9F%9F%9F%9F%9F%9F
is requested
the _app_server_ (note - not 10g) converts the %9F to a Y and again this
allows us to do the following
http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
e+from+all_users
again giving access to the "banned" and dangerous procedures.
Other character sets and scenarios may cause similar problems.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g/9i Multiple PL/SQL injection vulnerabilities
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004H
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004H.txt
Description
***********
Oracle 10g and 9i suffer from multiple PL/SQL injection vulnerabilities.
Details
*******
When a PL/SQL procedure executes, it does so with the permissions of the
definer unless the AUTHID CURRENT USER keyword has been specified. In this
case the procedure executes with invoker privileges. Any procedure that uses
definer rights can be abused to gain elevated privileges if they are
vulnerable to PL/SQL injection. Known to be vulnerable are
Owner Procedure
SYS DBMS_EXPORT_EXTENSION
WKSYS WK_ACL.GET_ACL
WKSYS WK_ACL.STORE_ACL
WKSYS WK_ADM.COMPLETE_ACL_SNAPSHOT
WKSYS WK_ACL.DELETE_ACLS_WITH_STATEMENT
CTXSYS DRILOAD.VALIDATE_STMT
Each of these can be exploited to gain DBA privileges. Further, attacks can
be affected via an Oracle Application Server without the attacker having a
user ID and password.
Note - CTXSYS is not a DBA in 10g but is on 9i.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g/9i Trigger Abuse
Systems Affected: Oracle 10g/9i on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004I
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004I.txt
Description
***********
Database triggers exist to help maintain data integrity and perform certain
actions when a table's data is modified. Many of the default triggers in
Oracle can be abused to gain elevated privileges.
Details
*******
Triggers are written in PL/SQL and execute with the privileges of the
definer/owner.
The trigger SDO_CMT_CBK_TRIG, owned by MDSYS, fires when a DELETE is
performed on the SDO_TXN_IDX_INSERTS table also owned by MDSYS. PUBLIC has
the SELECT, INSERT, UPDATE and DELETE object privileges on this table.
Consequently, anyone can cause the SDO_CMT_CBK_TRIG trigger to fire by
deleting a row from the table. If we examine the text of the trigger we can
see that, before the DELETE actually occurs, a list of functions are
selected from the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE tables and
then these functions are executed. PUBLIC has no object privileges set for
either of these tables so they can not insert their own funtion name.
However, the PRVT_CMT_CBK package owned by MDSYS has two procedures,
CCBKAPPLROWTRIG and EXEC_CBK_FN_DML, that take as their parameters a schema
and function name which are then inserted into the SDO_CMT_DBK_FN_TABLE and
SDO_CMT_CBK_DML_TABLE tables. PUBLIC has the EXECUTE permission on the
PRVT_CMT_CBK package and, as it has not been defined with the 'AUTHID
CURRENT_USER' keyword, the package executes using the rights of MDSYS, the
definer, and not the invoker. As a result of this anyone can indirectly
insert function names into the SDO_CMT_DBK_FN_TABLE and
SDO_CMT_CBK_DML_TABLE tables. Thus when a DELETE occurs on
SDO_TXN_IDX_INSERTS anyone can influence what actions the SDO_CMT_CBK_TRIG
trigger takes - in other words, anyone can get the trigger to execute an
arbitrary function. What is more, this function, as it is being executed
from the trigger will run with the privileges of MDSYS and an attacker can
exploit this to gain elevated privileges.
The MDSYS.SDO_GEOM_TRIG_INS1 is vulnerable to SQL injection on both 9i and
10g. The trigger executes the following
..
..
EXECUTE IMMEDIATE
'SELECT user FROM dual' into tname;
stmt := 'SELECT count(*) FROM SDO_GEOM_METADATA_TABLE ' ||
'WHERE sdo_owner = ''' || tname || ''' ' ||
' AND sdo_table_name = ''' || :n.table_name || ''' '||
' AND sdo_column_name = ''' || :n.column_name || ''' ';
..
..
when an INSERT is performed on MDSYS.USER_SDO_GEOM_METADATA. The
:new.table_name and :new.column_name can be influenced by the user and SQL
injected. PUBLIC has the permissions to INSERT into this table. As such the
trigger can be abused to gain MDSYS privileges - a DBA.
The MDSYS.SDO_LRS_TRIG_INS trigger fires when an INSERT occurs on the
MDSYS.USER_SDO_LRS_METADATA view. PUBLIC can insert into this view and so
cause the trigger to fire. This trigger is vulnerable to SQL injection. Both
Oracle 9i and 10g are affected. It executes
..
..
stmt := 'SELECT count(*) FROM SDO_LRS_METADATA_TABLE ' ||
' WHERE sdo_owner = ''' || UPPER(user_name) || ''' ' ||
' AND sdo_table_name = ''' || UPPER(:n.table_name) || ''' ' ||
' AND sdo_column_name = ''' || UPPER(:n.column_name) || ''' ';
EXECUTE IMMEDIATE stmt INTO vcount;
..
..
and :new.table_name and :new.column_name are user supplied in the insert
statement. This is where an attacker can insert SQL.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
Name: Oracle 10g/9i wrapped procedure buffer overflow
Systems Affected: Oracle 10g/9i on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004J
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004J.txt
Description
***********
The code for PL/SQL procedures can be encrypted or "wrapped" to use the
Oracle term. When a wrapped procedure is created a buffer overflow
vulnerability can be triggered.
Details
*******
By placing an overly token in the text of a procedure that has been wrapped
with version 9 and stack based buffer is overflowed in the Oracle server
when the procedure is created. Exploitation of this allows an attacker to
run code as the Oracle user.
Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.
- -------------------------------------------------------------------------------
About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.
http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQd3wTih9+71yA2DNAQIiyAP9HVwEfpl14MhPa3uD48OVd5LLJrMFH6ZY
gMPkgqIQFZiF0/Zvpxzu0f85NBRrnXwDUZ4lh+8rqcG3g6VGWaWE5UL4M7evbNmo
xlk2VXG5STJGGBTg4HXuYh6P4znGngcssJRU3fyy+pBxri4xCucrXK0BluEGs7OE
D8Bu1C1qkLc=
=dzHU
-----END PGP SIGNATURE-----
|