Donald Burleson Click here for more Oracle News Headlines

Serious Oracle Vulnerabilities Identified

Oracle patch 68 has become extremely critical for any Oracle system that might be open to external attacks.  Here is a list of Oracle vulnerabilities courtesy of NGS software:

      1. Oracle extproc local command execution (#NISR23122004C) (NOT PATCHED)

      2. Oracle ISQLPlus file access vulnerability (#NISR2122004E)

      3. Oracle TNS Listener DoS (#NISR2122004F)

      4. Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)

      5. Oracle wrapped procedure overflow (#NISR2122004J)

      6. Oracle extproc directory traversal (#NISR23122004B)

      7. Oracle extproc buffer overflow (#NISR23122004A)

      8. Oracle clear text passwords (#NISR2122004D)

      9. Oracle Character Conversion Bugs (#NISR2122004G)
________________________________________________________________________

Message: 1        
Subject: Oracle extproc local command execution (#NISR23122004C)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i extproc local command execution
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004C
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc is intended only to accept requests from the Oracle database server
but local users can still execute commands bypassing this restriction.

Details
*******
No authentication takes place when extproc is asked to load a library and
execute a function. This allows local users to run commands as the Oracle
user (oracle on unix and system on Windows). If configured properly, under
10g, extproc runs as nobody on *nix systems so the risk posed here is
minimal but still present.


Fix Information
***************
Oracle has responded saying this is "expected behaviour" and they are not
going to fix it. NGSSoftware believes this does pose a security risk.
NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
used to assess whether your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 2        
Subject: Oracle ISQLPlus file access vulnerability (#NISR2122004E)

NGSSoftware Insight Security Research Advisory

Name: Oracle ISQL*Plus load.uix file access
Systems Affected: Oracle 10g AS on all operating systems
Severity: Medium
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004E
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004E.txt

Description
***********
The 10g Oracle Application Server installs ISQL*Plus. Once logged in, an
attacker can use load.uix to read files on the server.

Details
*******
>From isqlplus it is possible to load a script and execute it. On navigating
to http://server:5560/isqlplus/load.uix two input boxes are displayed - one
called "URL" and the other "File". By entering in a full path an attacker
can load and read any file that the oracle user can read. For example
"/etc/passwd" on Linux or "C:\boot.ini" on windows. An attacker can read the
the files mentioned in #NISR2122004D to gain the privileges of SYSMAN.

Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 3        
Subject: Oracle TNS Listener DoS (#NISR2122004F)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g TNS Listener DoS
Systems Affected: Oracle 10g on all operating systems
Severity: High risk on high availability systems else low
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004F
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004F.txt

Description
***********
The 10g Oracle TNS Listener is vulnerable to a denial of service
vulnerability.

Details
*******
This occurs by sending the Listener a malformed service_register_NSGR
request. Byte 182 of the request is used as an offset to a pointer; in a
normal request this byte's value is 5 but by setting it to say 0xCC an
attacker can get the Listener to access (read) an arbitrary value which
causes the Listener to access violate/core dump.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 4        
Subject: Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i Multiple PL/SQL injection vulnerabilities
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004H
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004H.txt

Description
***********
Oracle 10g and 9i suffer from multiple PL/SQL injection vulnerabilities.

Details
*******

When a PL/SQL procedure executes, it does so with the permissions of the
definer unless the AUTHID CURRENT USER keyword has been specified. In this
case the procedure executes with invoker privileges. Any procedure that uses
definer rights can be abused to gain elevated privileges if they are
vulnerable to PL/SQL injection. Known to be vulnerable are


Owner Procedure

SYS DBMS_EXPORT_EXTENSION
WKSYS WK_ACL.GET_ACL
WKSYS WK_ACL.STORE_ACL
WKSYS WK_ADM.COMPLETE_ACL_SNAPSHOT
WKSYS WK_ACL.DELETE_ACLS_WITH_STATEMENT
CTXSYS DRILOAD.VALIDATE_STMT

Each of these can be exploited to gain DBA privileges. Further, attacks can
be affected via an Oracle Application Server without the attacker having a
user ID and password.

Note - CTXSYS is not a DBA in 10g but is on 9i.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 5        
Subject: Oracle wrapped procedure overflow (#NISR2122004J)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i wrapped procedure buffer overflow
Systems Affected: Oracle 10g/9i on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004J
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004J.txt

Description
***********
The code for PL/SQL procedures can be encrypted or "wrapped" to use the
Oracle term. When a wrapped procedure is created a buffer overflow
vulnerability can be triggered.


Details
*******
By placing an overly token in the text of a procedure that has been wrapped
with version 9 and stack based buffer is overflowed in the Oracle server
when the procedure is created. Exploitation of this allows an attacker to
run code as the Oracle user.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 6        
Subject: Oracle extproc directory traversal (#NISR23122004B)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i extproc directory traversal
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004B
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004B.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc has been found to suffer from a directory traversal problem that
allows attackers access to arbitray libraries.

Details
*******
extproc verifies that the library to be loaded is in the $ORACLE_HOME\bin
directory. This is to ensure that libraries outside of this directory cannot
be loaded. However, there exists a directory traversal issue whereby an
attacker can break outside of this constraint. This can allow attackers to
access libraries such as libc and msvcrt.dll. By calling the system()
function attackers can run arbitrary OS commands.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 7        
Subject: Oracle extproc buffer overflow (#NISR23122004A)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g extproc buffer overflow
Systems Affected: Oracle 10g on all operating systems
Severity: High Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004A
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004.txt

Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:

http://www.nextgenss.com/advisories/oraplsextproc.txt
http://www.nextgenss.com/advisories/ora-extproc.txt

Extproc has been found to suffer from another buffer overflow vulnerability.

Details
*******
Oracle 10g imposes a length limit on the library name to be loaded by
extproc. However, this length limit can be evaded by passing environment
variables as part of the library name. Later on the environment variable is
expanded allowing the buffer overflow to be exploited. For example '$PATH'
is 5 characters long; this passes the length check. However, when expanded
'$PATH' becomes many more characters.
Exploitation depends upon the system setup but by trial and error a balance
can be found allowing arbitrary code to be executed. No user ID or password
is required to exploit this vulnerability.


Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


________________________________________________________________________

Message: 8        
Subject: Oracle clear text passwords (#NISR2122004D)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g clear text passwords
Systems Affected: Oracle 10g on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004D
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004D.txt

Description
***********
The 10g Oracle database server may have passwords in clear text in world
readable files.

Details
*******
The password for the SYSMAN account (a DBA) can be found in
$ORACLE_HOME/hostname_sid/sysman/config/emoms.properties. This file is world
readable.

Also, on installing Oracle 10g if the installer supplies the same password
for the SYS, SYSTEM, DBSNMP and SYSMAN accounts and that password has an
exclamation mark in it (e.g. f00bar!!) then an error occurs in the DB
install when the passwords are set for SYSMAN and DBSNMP. This error is
logged to the "postDBCreation.log" logging the password.

alter user SYSMAN identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option

alter user DBSNMP identified by f00bar!! account unlock
ERROR at line 1:
ORA-00922: missing or invalid option

This file is world readable giving attackers access to what the passwords
are for these powerful accounts. Please note that no error is generated for
SYS or SYSTEM and these accounts are assigned the password f00bar!!. The
other accounts are given their default passwords.

Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

________________________________________________________________________

Message: 9        
Subject: Oracle Character Conversion Bugs (#NISR2122004G)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g character conversion bug
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004G
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt

Description
***********
Due to character conversion problems in Oracle 10g with Oracle's Application
server it is possible to bypass pl/sql exclusions and gain access to the
database server as SYS.

Details
*******
There is a character conversion bug in 10g that can lead to a compromised
backend database server. Both Windows and Linux are affected. Consider the
following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
Windows) using the PL/SQL module feeding into a 10g box running on Windows
and a 10g box running on Linux. The character set for both instances is
WE8ISO8859P1. When the app server receives a request of

http://server/pls/windad/%FF%FF%FF%FF%FF

the %FFs are converted to the byte 0xFF (as expected) but sniffing the
database response to the app server we get

"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be
declared....."

10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
is uppercase Y. Due to this conversion an attacker can request

http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users 

and gain access to "banned" and dangerous procedures. The character set for
the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.

If, however, we set the character set on the HTTP Server to
ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to 0x59 but if

http://server/pls/windad/%9F%9F%9F%9F%9F%9F

is requested

the _app_server_ (note - not 10g) converts the %9F to a Y and again this
allows us to do the following

http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+username+from+all_users 

again giving access to the "banned" and dangerous procedures.

Other character sets and scenarios may cause similar problems.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

 

Need an Oracle Health Check? Do you have bad performance after an upgrade?   Need to certify that your database follows best practices? BC Oracle performance gurus can quickly certify every aspect of your Oracle database and provide a complete verification that your database is fully optimized.