COMMAND
Oracle Listener
SYSTEMS AFFECTED
Oracle
PROBLEM
Following is based on a Internet Security Systems Security
Advisory. Internet Security Systems (ISS) X-Force has identified
four Denial of Service attacks against the Oracle listener
service:
1. Offset_to_data value too large
2. Requester_version value incorrect
3. Maximum Transport Data size too small
4. Fragmentation attack
These vulnerabilities allow an unauthenticated user to prevent
other users from connecting to the database. As a result, the
Oracle database becomes inaccessible.
1. Offset_to_data value too large
=================================
When connecting to an Oracle database, a connection is first made
to the listener process. This initial packet contains command
data, such as the instance to connect to and the client
information. This packet also contains a header with a field
indicating the offset to the Oracle command data. If this offset
is set to an arbitrarily large value that the listener does not
expect, then the listener will crash.
This vulnerability exists on Oracle 7.3 and 8i (not 8.0)
installations of Unix, but does not affect Oracle versions running
on Windows NT/2000.
2. Requester_version value incorrect
====================================
When connecting to an Oracle database, a connection is first made
to the listener process. This initial packet contains command
data, such as the instance to connect to and the client
information. This packet also contains a header with a field
indicating the version of the client drivers and the offset to
the Oracle command data. If the version of the driver does not
match to the appropriate offset to the command data, the listener
will crash.
This vulnerability exists on Oracle 8.0 and later installations
for all platforms.
3. Maximum Transport Data Size too small
========================================
When connecting to an Oracle database, a connection is first made
to the listener process. This initial packet contains command
data, such as the instance to connect to and the client
information. This packet also contains a header with a field
indicating the maximum transport data size of the client’s
network. If the maximum transport data size is set to 0, the
listener will crash.
This vulnerability exists on Oracle8i on Sun Solaris.
4. Fragmentation Attack
=======================
In addition to TCP/IP fragmentation, Oracle allows commands to be
fragmented at the application layer. This fragmentation allows
commands to be sent in two or more different packets. If the
first packet of a fragmented command is repeatedly sent and not
followed up with the remainder of the command, the listener hangs
waiting for the completion of these commands.
This vulnerability exists on all versions of the listener.
SOLUTION
Oracle has fixed this security vulnerabilities in Oracle9i.
Oracle is in the process of backporting the fix to supported
Oracle 8i Releases 8.1.7 and 8.1.6 on all Unix platforms. Please
check Metalink periodically for patch availability if the patch
for your platform is not yet available. Oracle recommends using
Oracle Advanced Security (an option to the Enterprise Edition of
the Oracle Database Server) to encrypt network traffic and avoid
packet capture and replay attacks. Oracle Advanced Security also
provides checksumming that verifies the data integrity of network
packets.