Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac5630.htm

Oracle listener client remote format string exploit



14th Aug 2002 [SBWID-5630]
COMMAND

	Oracle listener client remote format string exploit

SYSTEMS AFFECTED

	Oracle 9i, 8i on all platforms

PROBLEM

	David     Litchfield     [david@ngssoftware.com]     of      ngssoftware
	[http://www.ngssoftware.com] in advisory [#NISR14082002] :
	

	Advisory URL: http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt

	

	

	Oracle provide a tool called the Listener Control utility  (lsnrctl)  to
	allow an Oracle DBA to remotely control the Listener.  The  Listener  is
	responsible for dealing with  client  requests  for  database  services.
	This control utility contains an indirect  remotely  exploitable  format
	string vulnerability.
	

	 Details

	 *******

	

	By default the Oracle Listener is not protected against  unauthenticated
	access and control. The configuration  files  of  Listeners  in  such  a
	state can be modified without the user needing to supply a password.  By
	modifying certain entries in  the  listener.ora  file,  by  inserting  a
	format string exploit, an  attacker  can  gain  control  of  a  Listener
	control utility. Typically an  attack  would  require  the  attacker  to
	modify the file and wait for an Oracle DBA to use the  Listener  control
	utility  to  access  the  Listener  at  which  point  control  over  the
	utility's path of execution can be gained. This will give  the  attacker
	the ability only to gain control  of  the  DBA's  machine  and  not  the
	database server. This is a complex attack and requires certain  "events"
	to happen and as such the risk is quite low.  That  said,  Oracle  users
	are urged to apply the patch.

SOLUTION

	 Patch

	 =====

	

	http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

	

	

	 Workaround

	 ==========

	

	In the intermin NGSSoftware advise that  Oracle  DBAs  ensure  that  the
	Listener can not be controlled remotely and anonymously.
	

	There are several steps one can take to secure the  Listener  and  hence
	prevent exploitation of this format string vulnerability.
	

	One can set in the listener.ora
	

	ADMIN_RESTRICTIONS_lsnrname=ON

	

	This will prevent modifications to the Listener config files.  Furthe  a
	password should be set to limit actions a user can take.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH