Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Oracle :: oracle~5.htm

Oracle 8i TNS Listener Exploitable Buffer Overflow



    Oracle 8i TNS Listener (Standard and Enterprise) 8.1.5, 8.1.6, 8.1.7 and previous


    Following  is   based  on   a  COVERT   Labs  Security    Advisory
    COVERT-2001-04.  The Oracle 8i TNS (Transparent Network Substrate)
    Listener is  responsible for  establishing and  maintaining remote
    communications with  Oracle database  services.   The Listener  is
    vulnerable  to  a  buffer  overflow  condition  that allows remote
    execution  of  arbitrary  code  on  the  database  server  under a
    security context that grants full control of the database services
    and,  on  some  platforms,  full  control of the operating system.
    Because the  buffer overflow  occurs prior  to any authentication,
    the  listener  is  vulnerable  regardless  of any enabled password

    Client  connection  requests  to  a  remote  Oracle  service   are
    arbitrated by  the TNS  Listener.   The TNS  Listener accepts  the
    client  request  and  establishes   a  TNS  (Transparent   Network
    Substrate) data connection between the client and the service.   A
    TNS connection allows  clients and servers  to communicate over  a
    network via a common API, regardless of the network protocol  used
    on  either  end  (TCP/IP,  IPX,  etc).  The  TNS  Listener must be
    running if queries are to  be made by remote clients  or databases
    even if the network protocol is the same.  A default  installation
    listens on TCP port 1521.

    Listener  administration  and  monitoring  can  be done by issuing
    specific  commands  to  the  daemon.   Typical  requests,  such as
    "STATUS",  "PING"  and  "SERVICES"  return  a  summary of listener
    configuration and  connections.   Other requests  like "TRC_FILE",
    "SAVE_CONFIG" and  "RELOAD" are  used to  change the configuration
    of the listener.  An  exploitable buffer overflow occurs when  any
    of the command's arguments contains a very large amount of data.

    The TNS Listener daemon  runs with "LocalSystem" privileges  under
    Windows  NT/2000,  and  with  the  privileges of the 'oracle' user
    under Unix.  Exploitation of  this vulnerability will lead to  the
    remote attacker obtaining these respective privileges.

    The overflow can be triggered with a one-packet command conforming
    to the  Net8 protocol.   The client  will send  a Type-1  (NSPTCN)
    packet containing  the proper  Net8 headers  and malformed command
    string with embedded arbitrary code ("shellcode").  Although  many
    of the TNS  listener's administrative commands  can be limited  to
    trusted   users   by   enabling   password   authentication,  this
    vulnerability   can   nevertheless    be   exploited   by    using
    unauthenticated commands  such as  "STATUS".   It is  important to
    note that authentication is not enabled by default.

    The command string includes  several arguments such as  "SERVICE",
    "VERSION", "USER" and "ARGUMENTS". Any of these can be  overfilled
    with data to initiate the  overflow.  Under both Windows  and UNIX
    platforms, an  extended argument  of several  thousand bytes  will
    induce a stack overflow.

    Under Windows, the stack overflow will facilitate the execution of
    shellcode by manipulating the SEH (Strunctured Exception Handling)
    mechanism.   Since the  listener services  runs as  "LocalSystem",
    shellcode will be  executed in the  same security context.   Under
    UNIX, the listener  daemon will often  be started by  the "oracle"
    user  created  during  installation.   If  this  is  the case, the
    attacker will gain the privileges of the database administrator.

    These  vulnerabilities  were  discovered  and documented by Nishad
    Herath and Brock Tellier of the COVERT Labs at PGP Security.


    Oracle has  produced a  patch under  bug number  1489683 which  is
    available for download from the Oracle Worldwide Support  Services
    web site for  the platforms identified.   Note that this  patch is
    obsolete.  This patch is  being withdrawn because of a  regression
    of bug 1654631 which is fixed  as bug 1814117.  The patch  will be
    made  available  again  with  the  new  fix  included  as  soon as

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH