__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle 8i TNS Listener Vulnerability [Network Associates, Inc., Covert Labs Security Advisory #50] July 9, 2001 22:00 GMT Number L-108 ______________________________________________________________________________ PROBLEM: A buffer overflow vulnerability exists in the Oracle 8i TNS Listener that allows any user to execute arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. The Oracle 8i TNS Listener is responsible for establishing connections between the Oracle database server and a client application. The buffer overflow occurs before any authentication occurs so any user who can send packets to the listener port (TCP: 1521) on the server could exploit this vulnerability. PLATFORM: Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix. All servers currently in production already have the patch. DAMAGE: Remote users can gain root access on an Oracle server. SOLUTION: Obtain and install patches from Oracle (http://metalink.oracle.com/). Note that you must have an Oracle service account to obtain security patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Remote users who can send packets to port ASSESSMENT: 1521 on an Oracle 8i server can potentially run arbitrary code on that server. ______________________________________________________________________________ [Begin Network Associates, Inc., Covert Labs Security Advisory #50] Vulnerability in Oracle 8i TNS Listener Network Associates, Inc. COVERT Labs Security Advisory June 27, 2001 RISK FACTOR: HIGH Synopsis ======== The Oracle 8i TNS (Transparent Network Substrate) Listener is responsible for establishing and maintaining remote communications with Oracle database services. The Listener is vulnerable to a buffer overflow condition that allows remote execution of arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. Because the buffer overflow occurs prior to any authentication, the listener is vulnerable regardless of any enabled password protection. This vulnerability has been designated as CVE candidate CAN-2001-499. RISK FACTOR: HIGH Vulnerable Systems ================== Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix. [ Back to top ] Vulnerability Overview ====================== Client connection requests to a remote Oracle service are arbitrated by the TNS Listener. The TNS Listener accepts the client request and establishes a TNS (Transparent Network Substrate) data connection between the client and the service. A TNS connection allows clients and servers to communicate over a network via a common API, regardless of the network protocol used on either end (TCP/IP, IPX, etc). The TNS Listener must be running if queries are to be made by remote clients or databases even if the network protocol is the same. A default installation listens on TCP port 1521. Listener administration and monitoring can be done by issuing specific commands to the daemon. Typical requests, such as "STATUS", "PING" and "SERVICES" return a summary of listener configuration and connections. Other requests like "TRC_FILE", "SAVE_CONFIG" and "RELOAD" are used to change the configuration of the listener. An exploitable buffer overflow occurs when any of the command's arguments contains a very large amount of data. The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. Exploitation of this vulnerability will lead to the remote attacker obtaining these respective privileges. Detailed Information ==================== The overflow can be triggered with a one-packet command conforming to the Net8 protocol. The client will send a Type-1 (NSPTCN) packet containing the proper Net8 headers and malformed command string with embedded arbitrary code ("shellcode"). Although many of the TNS listener's administrative commands can be limited to trusted users by enabling password authentication, this vulnerability can nevertheless be exploited by using unauthenticated commands such as "STATUS". It is important to note that authentication is not enabled by default. The command string includes several arguments such as "SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled with data to initiate the overflow. Under both Windows and UNIX platforms, an extended argument of several thousand bytes will induce a stack overflow. Under Windows, the stack overflow will facilitate the execution of shellcode by manipulating the SEH (Strunctured Exception Handling) mechanism. Since the listener services runs as "LocalSystem", shellcode will be executed in the same security context. Under UNIX, the listener daemon will often be started by the "oracle" user created during installation. If this is the case, the attacker will gain the privileges of the database administrator. Resolution ========== Oracle has produced a patch under bug number 1489683 which is available for download from the Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com) for the platforms identified in this advisory. The patch is in production for all supported releases of the Oracle Database Server. Credits ======= These vulnerabilities were discovered and documented by Nishad Herath and Brock Tellier of the COVERT Labs at PGP Security. Contact Information =================== For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/research/covert/ or send e-mail to covert@nai.com. Legal Notice ============ The information contained within this advisory is Copyright (C) 2001 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. [End Network Associates, Inc., Covert Labs Security Advisory #50] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Network Associates, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-098: Microsoft Index Server ISAPI Extension Buffer Overflow L-099: SGI PCP Pmpost Symlink Vulnerability L-100: FrontPage Sub-Component Vulnerability L-101: Microsoft LDAP Over SSL Password Vulnerability L-102: HP OpenView Network Node Manager Security Vulnerability L-103: Sun ypbind Buffer Overflow Vulnerability L-104: SuSE Linux, xinetd Buffer Overflow L-105: Samba Security Vulnerability L-106: Cisco IOS HTTP Authorization Vulnerability L-107: Microsoft Authentication Error in SMTP Service