5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.85 High
EPSS
Percentile
98.5%
Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.
David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracleβs PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information.
Quoting from Hackproofing:
PL/SQL is Oracleβs Procedural Language extension to Structured Query Language. PL/SQL packages [applications] are essentially stored procedures in the database. The package exposes procedures that can be called directly, but also has functions that are called internally from within another package. The PL/SQL module for Apache extends the functionality of a web server, enabling the web server to execute these stored PL/SQL packages in the database. The best way to imagine the PL/SQL module is like a gateway into an Oracle database server over the Web using stored procedures.
The OWA_UTIL PL/SQL application exposes a number of procedures to the web via the Apache PL/SQL module. By default, anonymous web access is permitted to some of these procedures.
OWA_UTIL.signaturereturns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL.
OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint
is prevented by default.
OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the sys.link$
table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v1.0.2.2 documentation, web access to OWA_UTIL.cellsprint
is prevented by default.
OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns.
OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint
.
The PL/SQL module provides a configuration parameter called exclusion_list
. Procedures (as well as applications and schemas) specified in exclusion_list
cannot be directly executed over the web. As noted above, Oracle9i AS v1.0.2.2 documentation states that web access to OWA_UTIL.showsource
and OWA_UTIL.cellsprint
is prevented by default.
The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.
An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.
** Block or Restrict Access**
Unauthenticated PUBLIC access to PL/SQL procedures and applications can be restricted using the exclusion_list
parameter in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app
. This solution is described in Oracle Security Alert #28. For more information, read the section titled Protecting the PL/SQL Procedures Granted to PUBLIC in the Oracle iAS documentation under Using the PL/SQL Gateway.
Disable Vulnerable Service
Disable the PL/SQL service (modplsql or mod_plsql in Apache).
307835
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 03, 2002 Updated: March 05, 2002
Affected
Oracle has released Oracle Security Alert #28.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23307835 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.
This document was written by Art Manion.
CVE IDs: | CVE-2002-0560 |
---|---|
CERT Advisory: | CA-2002-08 Severity Metric: |