SecuriTeam - Oracle Listener Control Format Strings

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Oracle provides a tool called the Listener Control utility (lsnrctl) to allow an Oracle DBA to remotely control the Listener. The Listener is responsible for dealing with client requests for database services. This control utility contains an indirect remotely exploitable format string vulnerability.

Credit:
The original advisory can be viewed at:
http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt
The information has been provided by David Litchfield.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* Oracle 9i, 8i on all platforms

By default, the Oracle Listener is not protected against unauthenticated access and control. The configuration files of Listeners in such a state can be modified without the user needing to supply a password. By modifying certain entries in the listener.ora file, by inserting a format string exploit, an attacker can gain control of a Listener control utility. Typically an attack would require the attacker to modify the file and wait for an Oracle DBA to use the Listener control utility to access the Listener at which point control over the utility's path of execution can be gained. This will give the attacker the ability only to gain control of the DBA's machine and not the database server. This is a complex attack and requires certain "events" to happen and as such, the risk is quite low. That said, Oracle users are urged to apply the patch.

Fix Information:
NGSSoftware alerted Oracle to this problem on 13 May 2002. Oracle have produced a patch and issued an alert. Please see their bulletin for more details.

http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

In the meanwhile NGSSoftware, advises that Oracle DBAs ensure that the Listener cannot be controlled remotely and anonymously.

There are several steps one can take to secure the Listener and hence prevent exploitation of this format string vulnerability.

One can set in the listener.ora

ADMIN_RESTRICTIONS_lsnrname=ON

This will prevent modifications to the Listener config files. Further a password should be set to limit actions a user can take.

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability