COMMAND
Oracle
SYSTEMS AFFECTED
Oracle 8i TNS Listener (Standard and Enterprise) 8.1.5, 8.1.6, 8.1.7 and previous
PROBLEM
Following is based on a COVERT Labs Security Advisory
COVERT-2001-04. The Oracle 8i TNS (Transparent Network Substrate)
Listener is responsible for establishing and maintaining remote
communications with Oracle database services. The Listener is
vulnerable to a buffer overflow condition that allows remote
execution of arbitrary code on the database server under a
security context that grants full control of the database services
and, on some platforms, full control of the operating system.
Because the buffer overflow occurs prior to any authentication,
the listener is vulnerable regardless of any enabled password
protection.
Client connection requests to a remote Oracle service are
arbitrated by the TNS Listener. The TNS Listener accepts the
client request and establishes a TNS (Transparent Network
Substrate) data connection between the client and the service. A
TNS connection allows clients and servers to communicate over a
network via a common API, regardless of the network protocol used
on either end (TCP/IP, IPX, etc). The TNS Listener must be
running if queries are to be made by remote clients or databases
even if the network protocol is the same. A default installation
listens on TCP port 1521.
Listener administration and monitoring can be done by issuing
specific commands to the daemon. Typical requests, such as
"STATUS", "PING" and "SERVICES" return a summary of listener
configuration and connections. Other requests like "TRC_FILE",
"SAVE_CONFIG" and "RELOAD" are used to change the configuration
of the listener. An exploitable buffer overflow occurs when any
of the command's arguments contains a very large amount of data.
The TNS Listener daemon runs with "LocalSystem" privileges under
Windows NT/2000, and with the privileges of the 'oracle' user
under Unix. Exploitation of this vulnerability will lead to the
remote attacker obtaining these respective privileges.
The overflow can be triggered with a one-packet command conforming
to the Net8 protocol. The client will send a Type-1 (NSPTCN)
packet containing the proper Net8 headers and malformed command
string with embedded arbitrary code ("shellcode"). Although many
of the TNS listener's administrative commands can be limited to
trusted users by enabling password authentication, this
vulnerability can nevertheless be exploited by using
unauthenticated commands such as "STATUS". It is important to
note that authentication is not enabled by default.
The command string includes several arguments such as "SERVICE",
"VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled
with data to initiate the overflow. Under both Windows and UNIX
platforms, an extended argument of several thousand bytes will
induce a stack overflow.
Under Windows, the stack overflow will facilitate the execution of
shellcode by manipulating the SEH (Strunctured Exception Handling)
mechanism. Since the listener services runs as "LocalSystem",
shellcode will be executed in the same security context. Under
UNIX, the listener daemon will often be started by the "oracle"
user created during installation. If this is the case, the
attacker will gain the privileges of the database administrator.
These vulnerabilities were discovered and documented by Nishad
Herath and Brock Tellier of the COVERT Labs at PGP Security.
SOLUTION
Oracle has produced a patch under bug number 1489683 which is
available for download from the Oracle Worldwide Support Services
web site for the platforms identified. Note that this patch is
obsolete. This patch is being withdrawn because of a regression
of bug 1654631 which is fixed as bug 1814117. The patch will be
made available again with the new fix included as soon as
possible.