-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Network Associates, Inc. COVERT Labs Security Advisory June 27, 2001 Vulnerability in Oracle 8i TNS Listener COVERT-2001-04
The Oracle 8i TNS (Transparent Network Substrate) Listener is responsible for establishing and maintaining remote communications with Oracle database services. The Listener is vulnerable to a buffer overflow condition that allows remote execution of arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. Because the buffer overflow occurs prior to any authentication, the listener is vulnerable regardless of any enabled password protection.
This vulnerability has been designated as CVE candidate CAN-2001-499.
RISK FACTOR: HIGH
o Vulnerable Systems
Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix.
o Vulnerability Overview
Client connection requests to a remote Oracle service are arbitrated by the TNS Listener. The TNS Listener accepts the client request and establishes a TNS (Transparent Network Substrate) data connection between the client and the service. A TNS connection allows clients and servers to communicate over a network via a common API, regardless of the network protocol used on either end (TCP/IP, IPX, etc). The TNS Listener must be running if queries are to be made by remote clients or databases even if the network protocol is the same.
A default installation listens on TCP port 1521.
Listener administration and monitoring can be done by issuing specific commands to the daemon. Typical requests, such as "STATUS", "PING" and "SERVICES" return a summary of listener configuration and connections. Other requests like "TRC_FILE", "SAVE_CONFIG" and "RELOAD" are used to change the configuration of the listener. An exploitable buffer overflow occurs when any of the command's arguments contains a very large amount of data.
The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. Exploitation of this vulnerability will lead to the remote attacker obtaining these respective privileges.
o Detailed Information:
The overflow can be triggered with a one-packet command conforming to the Net8 protocol. The client will send a Type-1 (NSPTCN) packet containing the proper Net8 headers and malformed command string with embedded arbitrary code ("shellcode"). Although many of the TNS listener's administrative commands can be limited to trusted users by enabling password authentication, this vulnerability can nevertheless be exploited by using unauthenticated commands such as "STATUS". It is important to note that authentication is not enabled by default.
The command string includes several arguments such as "SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled with data to initiate the overflow. Under both Windows and UNIX platforms, an extended argument of several thousand bytes will induce a stack overflow.
Under Windows, the stack overflow will facilitate the execution of shellcode by manipulating the SEH (Strunctured Exception Handling) mechanism. Since the listener services runs as "LocalSystem", shellcode will be executed in the same security context. Under UNIX, the listener daemon will often be started by the "oracle" user created during installation. If this is the case, the attacker will gain the privileges of the database administrator.
Oracle has produced a patch under bug number 1489683 which is available for download from the Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com) for the platforms identified in this advisory. The patch is in production for all supported releases of the Oracle Database Server.
PGP Security's CyberCop Scanner risk-assessment tool has been updated to detect this vulnerability.
These vulnerabilities were discovered and documented by Nishad Herath and Brock Tellier of the COVERT Labs at PGP Security.
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/covert or send e-mail to firstname.lastname@example.org
o Legal Notice
The information contained within this advisory is Copyright (C) 2001 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.
Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1
iQA/AwUBOzpL5dwDUegFyneEEQJkVwCfaSu5s4tIHqc7gaecy8bYEE4ADGEAn26n AaiyVhQME0V+hG2oUBcgOX7T =wbhH -----END PGP SIGNATURE-----