Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

   

 


Serious Oracle Vulnerabilities Identified


December 31, 2004

Oracle patch 68 has become extremely critical for any Oracle system that might be open to external attacks.  Here is a list of Oracle vulnerabilities courtesy of NGS software:

      1. Oracle extproc local command execution (#NISR23122004C) (NOT PATCHED)

      2. Oracle ISQLPlus file access vulnerability (#NISR2122004E)

      3. Oracle TNS Listener DoS (#NISR2122004F)

      4. Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)

      5. Oracle wrapped procedure overflow (#NISR2122004J)

      6. Oracle extproc directory traversal (#NISR23122004B)

      7. Oracle extproc buffer overflow (#NISR23122004A)

      8. Oracle clear text passwords (#NISR2122004D)

      9. Oracle Character Conversion Bugs (#NISR2122004G)
________________________________________________________________________

Message: 1        
Subject: Oracle extproc local command execution (#NISR23122004C)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i extproc local command execution
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004C
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc is intended only to accept requests from the Oracle database server
but local users can still execute commands bypassing this restriction.

Details
*******
No authentication takes place when extproc is asked to load a library and
execute a function. This allows local users to run commands as the Oracle
user (oracle on unix and system on Windows). If configured properly, under
10g, extproc runs as nobody on *nix systems so the risk posed here is
minimal but still present.


Fix Information
***************
Oracle has responded saying this is "expected behaviour" and they are not
going to fix it. NGSSoftware believes this does pose a security risk.
NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
used to assess whether your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 2        
Subject: Oracle ISQLPlus file access vulnerability (#NISR2122004E)

NGSSoftware Insight Security Research Advisory

Name: Oracle ISQL*Plus load.uix file access
Systems Affected: Oracle 10g AS on all operating systems
Severity: Medium
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004E
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004E.txt

Description
***********
The 10g Oracle Application Server installs ISQL*Plus. Once logged in, an
attacker can use load.uix to read files on the server.

Details
*******
>From isqlplus it is possible to load a script and execute it. On navigating
to http://server:5560/isqlplus/load.uix two input boxes are displayed - one
called "URL" and the other "File". By entering in a full path an attacker
can load and read any file that the oracle user can read. For example
"/etc/passwd" on Linux or "C:\boot.ini" on windows. An attacker can read the
the files mentioned in #NISR2122004D to gain the privileges of SYSMAN.

Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 3        
Subject: Oracle TNS Listener DoS (#NISR2122004F)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g TNS Listener DoS
Systems Affected: Oracle 10g on all operating systems
Severity: High risk on high availability systems else low
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004F
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004F.txt

Description
***********
The 10g Oracle TNS Listener is vulnerable to a denial of service
vulnerability.

Details
*******
This occurs by sending the Listener a malformed service_register_NSGR
request. Byte 182 of the request is used as an offset to a pointer; in a
normal request this byte's value is 5 but by setting it to say 0xCC an
attacker can get the Listener to access (read) an arbitrary value which
causes the Listener to access violate/core dump.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 4        
Subject: Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i Multiple PL/SQL injection vulnerabilities
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004H
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004H.txt

Description
***********
Oracle 10g and 9i suffer from multiple PL/SQL injection vulnerabilities.

Details
*******

When a PL/SQL procedure executes, it does so with the permissions of the
definer unless the AUTHID CURRENT USER keyword has been specified. In this
case the procedure executes with invoker privileges. Any procedure that uses
definer rights can be abused to gain elevated privileges if they are
vulnerable to PL/SQL injection. Known to be vulnerable are


Owner Procedure

SYS DBMS_EXPORT_EXTENSION
WKSYS WK_ACL.GET_ACL
WKSYS WK_ACL.STORE_ACL
WKSYS WK_ADM.COMPLETE_ACL_SNAPSHOT
WKSYS WK_ACL.DELETE_ACLS_WITH_STATEMENT
CTXSYS DRILOAD.VALIDATE_STMT

Each of these can be exploited to gain DBA privileges. Further, attacks can
be affected via an Oracle Application Server without the attacker having a
user ID and password.

Note - CTXSYS is not a DBA in 10g but is on 9i.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 5        
Subject: Oracle wrapped procedure overflow (#NISR2122004J)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i wrapped procedure buffer overflow
Systems Affected: Oracle 10g/9i on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004J
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004J.txt

Description
***********
The code for PL/SQL procedures can be encrypted or "wrapped" to use the
Oracle term. When a wrapped procedure is created a buffer overflow
vulnerability can be triggered.


Details
*******
By placing an overly token in the text of a procedure that has been wrapped
with version 9 and stack based buffer is overflowed in the Oracle server
when the procedure is created. Exploitation of this allows an attacker to
run code as the Oracle user.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 6        
Subject: Oracle extproc directory traversal (#NISR23122004B)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i extproc directory traversal
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004B
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004B.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc has been found to suffer from a directory traversal problem that
allows attackers access to arbitray libraries.

Details
*******
extproc verifies that the library to be loaded is in the $ORACLE_HOME\bin
directory. This is to ensure that libraries outside of this directory cannot
be loaded. However, there exists a directory traversal issue whereby an
attacker can break outside of this constraint. This can allow attackers to
access libraries such as libc and msvcrt.dll. By calling the system()
function attackers can run arbitrary OS commands.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 7        
Subject: Oracle extproc buffer overflow (#NISR23122004A)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g extproc buffer overflow
Systems Affected: Oracle 10g on all operating systems
Severity: High Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004A
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc has been found to suffer from another buffer overflow vulnerability.

Details
*******
Oracle 10g imposes a length limit on the library name to be loaded by
extproc. However, this length limit can be evaded by passing environment
variables as part of the library name. Later on the environment variable is
expanded allowing the buffer overflow to be exploited. For example '$PATH'
is 5 characters long; this passes the length check. However, when expanded
'$PATH' becomes many more characters.
Exploitation depends upon the system setup but by trial and error a balance
can be found allowing arbitrary code to be executed. No user ID or password
is required to exploit this vulnerability.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 8        
Subject: Oracle clear text passwords (#NISR2122004D)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g clear text passwords
Systems Affected: Oracle 10g on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004D
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004D.txt

Description
***********
The 10g Oracle database server may have passwords in clear text in world
readable files.

Details
*******
The password for the SYSMAN account (a DBA) can be found in
$ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world
readable.

Also, on installing Oracle 10g if the installer supplies the same password
for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an
exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB
install when the passwords are set for SYSMAN and DBSNMP. This error is
logged to the "postDBCreation.log" logging the password.

alter user SYSMAN identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option

alter user DBSNMP identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option

This file is world readable giving attackers access to what the passwords
are for these powerful accounts. Please note that no error is generated for
SYS or SYSTEM and these accounts are assigned the password f00bar!!. The
other accounts are given their default passwords.

Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 9        
Subject: Oracle Character Conversion Bugs (#NISR2122004G)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g character conversion bug
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004G
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt

Description
***********
Due to character conversion problems in Oracle 10g with Oracle's Application
server it is possible to bypass pl/sql exclusions and gain access to the
database server as SYS.

Details
*******
There is a character conversion bug in 10g that can lead to a compromised
backend database server. Both Windows and Linux are affected. Consider the
following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
Windows) using the PL/SQL module feeding into a 10g box running on Windows
and a 10g box running on Linux. The character set for both instances is
WE8ISO8859P1. When the app server receives a request of

http://server/pls/windad/%FF%FF%FF%FF%FF

the %FFs are converted to the byte 0xFF (as expected) but sniffing the
database response to the app server we get

"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be
declared....."

10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
is uppercase Y. Due to this conversion an attacker can request

http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users 

and gain access to "banned" and dangerous procedures. The character set for
the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.

If, however, we set the character set on the HTTP Server to
ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to 0x59 but if

http://server/pls/windad/%9F%9F%9F%9F%9F%9F

is requested

the _app_server_ (note - not 10g) converts the %9F to a Y and again this
allows us to do the following

http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users 

again giving access to the "banned" and dangerous procedures.

Other character sets and scenarios may cause similar problems.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://MOSC.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

 


 

 
 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational