|
|
|
|
| |
| Multiple vulnerabilities were discovered in the (Oracle database server Character Conversion, Extproc, Password Disclosure, ISQLPlus,TNS Listener). All the vulnerabilities are addressed in a new cummulative patched issued by Oracle. |
| |
Credit:
The information has been provided by NGSSoftware Insight Security Research.
|
| |
Vulnerable Systems:
* Oracle 10g on all operating systems
1. Character Conversion Bugs
Due to character conversion problems in Oracle 10g with Oracle's Application server it is possible to bypass pl/sql exclusions and gain access to the database server as SYS. There is a character conversion bug in 10g that can lead to a compromised backend database server. Both Windows and Linux are affected. Consider the following set up. There's a Oracle HTTP Server (running apache 1.3.22 on Windows) using the PL/SQL module feeding into a 10g box running on Windows and a 10g box running on Linux. The character set for both instances is WE8ISO8859P1.
When the app server receives a request of:
http://server/pls/windad/%FF%FF%FF%FF%FF
The %FFs are converted to the byte 0xFF (as expected) but sniffing the database response to the app server we get:
"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be declared....."
In Oracle 10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that is uppercase Y. Due to this conversion an attacker can perform the following request:
http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users
And therefore gain access to "banned" and dangerous procedures. The character set for the HTTP server is set to: AMERICAN_AMERICA.WE8ISO8859P1.
If, however, we set the character set on the HTTP Server to ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to 0x59 but if the following is requested:
http://server/pls/windad/%9F%9F%9F%9F%9F%9F
The _app_server_ (note - not 10g) converts the %9F to a Y and again this allows us to do the following:
http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users
And again giving access to the "banned" and dangerous procedures. Other character sets and scenarios may cause similar problems.
2. Extproc Buffer Overflow (long lib name)
The Oracle database server supports PL/SQL, a programming language. PL/SQL can execute external procedures via extproc. Over the past few years there has been a number of vulnerabilities in this area (http://www.nextgenss.com/advisories/oraplsextproc.txt, http://www.nextgenss.com/advisories/ora-extproc.txt)
Extproc has been found to suffer from another buffer overflow vulnerability. Oracle 10g imposes a length limit on the library name to be loaded by extproc. However, this length limit can be evaded by passing environment variables as part of the library name. Later on the environment variable is expanded allowing the buffer overflow to be exploited. For example '$PATH' is 5 characters long; this passes the length check. However, when expanded '$PATH' becomes many more characters. Exploitation depends upon the system setup but by trial and error a balance can be found allowing arbitrary code to be executed. No user ID or password is required to exploit this vulnerability.
3. Clear Text Passwords Disclosure
The 10g Oracle database server may have passwords in clear text in world readable files. The password for the SYSMAN account (a DBA) can be found in $ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world readable.
Also, on installing Oracle 10g if the installer supplies the same password for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB install when the passwords are set for SYSMAN and DBSNMP.
This error is logged to the "postDBCreation.log" logging the password:
Alter user SYSMAN identified by f00bar!! account unlock ERROR at line 1:
ORA-00922: missing or invalid option
Alter user DBSNMP identified by f00bar!! account unlock ERROR at line 1:
ORA-00922: missing or invalid option
This file is world readable giving attackers access to what the passwords are for these powerful accounts. Please note that no error is generated for SYS or SYSTEM and these accounts are assigned the password f00bar!!. The other accounts are given their default passwords.
4. ISQLPlus file access vulnerability
The 10g Oracle Application Server installs ISQL*Plus. Once logged in, an attacker can use load.uix to read files on the server. From isqlplus it is possible to load a script and execute it. On navigating to http://server:5560/isqlplus/load.uix two input boxes are displayed - one called "URL" and the other "File". By entering in a full path an attacker can load and read any file that the oracle user can read. For example "/etc/passwd" on Linux or "C:\boot.ini" on windows. An attacker can read the the files mentioned in 'Clear Text Passwords Disclosure' vulnerability above to gain the privileges of SYSMAN.
5. TNS Listener DoS
The 10g Oracle TNS Listener is vulnerable to a denial of service vulnerability. This occurs by sending the Listener a malformed service_register_NSGR request. Byte 182 of the request is used as an offset to a pointer; in a normal request this byte's value is 5 but by setting it to say 0xCC an attacker can get the Listener to access (read) an arbitrary value which causes the Listener to access violate/core dump.
Vendor Status:
A patch (#68) was released for all the problems described above by Oracle. See http://metalink.oracle.com/ for more details.
Original Advisories can be found at:
http://www.ngssoftware.com/advisories/oracle23122004G.txt
http://www.ngssoftware.com/advisories/oracle23122004F.txt
http://www.ngssoftware.com/advisories/oracle23122004F.txt
http://www.ngssoftware.com/advisories/oracle23122004E.txt
http://www.ngssoftware.com/advisories/oracle23122004D.txt
|
|
|
|
|
|
|
|
|
|
