COMMAND
Oracle
SYSTEMS AFFECTED
Oracle listener program 7.3.4, 8.0.6, and 8.1.6 on all platforms
PROBLEM
Following is based on a Internet Security Systems Security
Advisory. Internet Security Systems (ISS) X-Force has discovered
a vulnerability in the listener program in Oracle Enterprise
Server. It is possible for a remote attacker to gain access to
the Oracle owner operating system account and the Oracle
database, and to execute code in various operating systems.
The Oracle listener program accepts remote commands from remote
listener controllers. If configured properly, a password is
required to authenticate a user before issuing a listener command.
The default Oracle installation does not allow a password for the
listener program to be indicated. If a password has not been set,
the Oracle listener program can be configured to append log
information to a file. Due to a problem with the SET TRC_FILE and
SET LOG_FILE commands, these values can be changed to any file
name. This allows an attacker to create a new file or corrupt an
existing file.
The information logged by the listener program can be specified
by an attacker by sending a specially formed connect packet to the
listener. This logged information can be changed to include
commands and escape characters, allowing an attacker to gain
access to an operating system account.
This vulnerability was discovered and researched by Ben Layer and
Aaron Newman of Internet Security Systems.
SOLUTION
Oracle recommends that customers download the patches for this
vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com. Customers can reference generic bug
number 1361722 filed against the listener program.
ISS SAFEsuite security assessment software, Database Scanner,
currently determines if a password is indicated for the listener
and how strong the password is. An upcoming release of Database
Scanner will be updated to determine if the Oracle patch has been
applied.