Oracle Application Server contains format string vulnerability

2002-06-04T00:00:00
ID VU:467555
Type cert
Reporter CERT
Modified 2003-06-02T19:05:00

Description

Overview

The CERT/CC is aware of a report about a "remotely exploitable format string vulnerability in Oracle Application Server" that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system.

Description

Oracle Application Server uses the Apache HTTP Server to provide web services, including access to stored procedures via the Oracle PL/SQL module (modpplsql or mod_plsql). The PL/SQL module provides a web-based administration interface to configure Database Access Descriptors (DAD) and cache settings. The CERT/CC is aware of a report of a format string vulnerability in Oracle Application Server. The report implies that the vulnerability exists in the web-based administration interface for the PL/SQL gateway. An attacker may be able to exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Further details about this vulnerability are not presently available, as the reporter (NGSSoftware) has intentionally released limited information in accordance with their disclosure policy. NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.


Impact

An unauthenticated remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The HTTP server used by Oracle Application Server may run as SYSTEM on Windows NT and Windows 2000 systems.


Solution

Apply a Patch

When available, apply the appropriate patch. Oracle typically releases Security Alerts that include patch information.


Restrict Access

The report from NGSSoftware recommends "ensuring that the administration pages for the PL/SQL module have been protected." This implies that the vulnerability lies in the HTML administration interface for the PL/SQL module, which would be similar to a previously announced vulnerability [VU#659043]. In the default configuration, the administration pages are available to anyone who is able to access to the web server [VU#611776].

Access to the PL/SQL gateway administration web pages can be restricted by specifying authorized user names and connect strings or an administrative Database Access Descriptor (DAD) in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. For more information, read the section titled Using the PL/SQL Gateway in the Oracle iAS documentation for the Oracle HTTP Server powered by Apache.

Disable Unnecessary Services

If this vulnerability is in the PL/SQL HTTP administration interface, it may be possible to disable the HTTP interface and make configuration changes to the PL/SQL module by modifying the configuration file directly.

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Use Least Privilege

Run Oracle Application Server under a user account with the least privilege possible. Note that this workaround will not prevent exploitation, but may limit the impact of an attack.


Vendor Information

467555

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Oracle Corporation __ Affected

Notified: May 31, 2002 Updated: June 18, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <ttp://www.nextgenss.com/vna/ora-ias.txt>
  • <hhttp://online.securityfocus.com/bid/4844>
  • <http://www.iss.net/security_center/static/10183.php>

Acknowledgements

The CERT/CC thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: | None
---|---
Severity Metric: | 6.22
Date Public: | 2002-05-27
Date First Published: | 2002-06-04
Date Last Updated: | 2003-06-02 19:05 UTC
Document Revision: | 40