Oracle Listener Control Format Strings

August 14th, 2002

NGSSoftware Insight Security Research Advisory

Name: Oracle Listener Control Format Strings

Systems Affected:  Oracle 9i, 8i on all platforms

Severity: Medium

Category: Format String Vulnerabilities

Vendor URL:   http://www.oracle.com/

Authors:  David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt

Date:   14th August 2002

Advisory number: #NISR14082002

VNA Reference:  http://www.nextgenss.com/vna/ora-lsnrctl.txt

Description

***********

Oracle provide a tool called the Listener Control utility (lsnrctl) to allow

an Oracle DBA to remotely control the Listener. The Listener is responsible

for dealing with client requests for database services. This control utility

contains an indirect remotely exploitable format string vulnerability.

Details

*******

By default the Oracle Listener is not protected against unauthenticated

access and control. The configuration files of Listeners in such a state can

be modified without the user needing to supply a password. By modifying

certain entries in the listener.ora file, by inserting a format string

exploit, an attacker can gain control of a Listener control utility.

Typically an attack would require the attacker to modify the file and wait

for an Oracle DBA to use the Listener control utility to access the Listener

at which point control over the utility’s path of execution can be gained.

This will give the attacker the ability only to gain control of the DBA’s

machine and not the database server. This is a complex attack and requires

certain “events” to happen and as such the risk is quite low. That said,

Oracle users are urged to apply the patch.

Fix Information

***************

NGSSoftware alerted Oracle to this problem on the 13th May 2002. Oracle have

produced a patch and issued an alert. Please see their bulletin for more

details.

http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

In the intermin NGSSoftware advise that Oracle DBAs ensure that the Listener

can not be controlled remotely and anonymously.

There are several steps one can take to secure the Listener and hence

prevent exploitation of this format string vulnerability.

One can set in the listener.ora

ADMIN_RESTRICTIONS_lsnrname=ON

This will prevent modifications to the Listener config files. Furthe a

password should be set to limit actions a user can take.

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

ITA 2008


2008 International Trade Awards

NGSSoftware named as South-East England regional winners at the 2008 International Trade Awards.

SLBA 2008


South London Business Awards 2008

David Litchfield named as 'Entrepreneur of the Year' at the South London Business Awards 2008.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK