SecuriTeam - Oracle Listener Control Format Strings

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Oracle provides a tool called the Listener Control utility (lsnrctl) to allow an Oracle DBA to remotely control the Listener. The Listener is responsible for dealing with client requests for database services. This control utility contains an indirect remotely exploitable format string vulnerability.

Credit:
The original advisory can be viewed at:
http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt
The information has been provided by David Litchfield.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* Oracle 9i, 8i on all platforms

By default, the Oracle Listener is not protected against unauthenticated access and control. The configuration files of Listeners in such a state can be modified without the user needing to supply a password. By modifying certain entries in the listener.ora file, by inserting a format string exploit, an attacker can gain control of a Listener control utility. Typically an attack would require the attacker to modify the file and wait for an Oracle DBA to use the Listener control utility to access the Listener at which point control over the utility's path of execution can be gained. This will give the attacker the ability only to gain control of the DBA's machine and not the database server. This is a complex attack and requires certain "events" to happen and as such, the risk is quite low. That said, Oracle users are urged to apply the patch.

Fix Information:
NGSSoftware alerted Oracle to this problem on 13 May 2002. Oracle have produced a patch and issued an alert. Please see their bulletin for more details.

http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

In the meanwhile NGSSoftware, advises that Oracle DBAs ensure that the Listener cannot be controlled remotely and anonymously.

There are several steps one can take to secure the Listener and hence prevent exploitation of this format string vulnerability.

One can set in the listener.ora

ADMIN_RESTRICTIONS_lsnrname=ON

This will prevent modifications to the Listener config files. Further a password should be set to limit actions a user can take.

	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation