Oracle listener Input Validation Vulnerabilities
BID:1853
Info
Oracle listener Input Validation Vulnerabilities
| Bugtraq ID: | 1853 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Oct 25 2000 12:00AM |
| Updated: | Oct 25 2000 12:00AM |
| Credit: | Posted to bugtraq by Internet Security Systems, Inc. <[email protected]> on October 25, 2000 |
| Vulnerable: |
Oracle listener 8.1.6 Oracle listener 8.0.6 Oracle listener 7.3.4 |
| Not Vulnerable: | |
Discussion
Oracle listener Input Validation Vulnerabilities
Oracle Enterprise Server ships with a server program called listener used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections.
Due to this condition, unauthorized clients can connect to and send certain commands to the listener. Two such commands are SET TRC_FILE and SET LOG_FILE which allow the connecting client to tell the listener server what logfiles to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files) and have some user supplied data written to them (eg, "\n+ +\n"). Furthermore, it is also possible to have escaped shell commands executed due to improper handling of user input when writing to the logfiles.
There are numerous ways to exploit these vulnerabilities so local shell access is gained on the host running listener. This can lead to a compromise of root privileges on the host.
Oracle Enterprise Server ships with a server program called listener used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections.
Due to this condition, unauthorized clients can connect to and send certain commands to the listener. Two such commands are SET TRC_FILE and SET LOG_FILE which allow the connecting client to tell the listener server what logfiles to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files) and have some user supplied data written to them (eg, "\n+ +\n"). Furthermore, it is also possible to have escaped shell commands executed due to improper handling of user input when writing to the logfiles.
There are numerous ways to exploit these vulnerabilities so local shell access is gained on the host running listener. This can lead to a compromise of root privileges on the host.
Exploit / POC
Oracle listener Input Validation Vulnerabilities
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Oracle listener Input Validation Vulnerabilities
Solution:
Excerpted from "Internet Security Systems Security Advisory: Vulnerability in the Oracle Listener Program",
posted to bugtraq on October 25, 2000:
"Oracle recommends that customers download the patches for this vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com.
Customers can reference generic bug number 1361722 filed against the listener program."
Solution:
Excerpted from "Internet Security Systems Security Advisory: Vulnerability in the Oracle Listener Program",
posted to bugtraq on October 25, 2000:
"Oracle recommends that customers download the patches for this vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com.
Customers can reference generic bug number 1361722 filed against the listener program."
References
Oracle listener Input Validation Vulnerabilities
References:
References: