Oracle 8i TNS Listener Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

L-108: Oracle 8i TNS Listener Vulnerability

[Network Associates, Inc., Covert Labs Security Advisory #50]

July 9, 2001 22:00 GMT

PROBLEM: A buffer overflow vulnerability exists in the Oracle 8i TNS Listener that allows any user to execute arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. The Oracle 8i TNS Listener is responsible for establishing connections between the Oracle database server and a client application. The buffer overflow occurs before any authentication occurs so any user who can send packets to the listener port (TCP: 1521) on the server could exploit this vulnerability.
PLATFORM: Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix. All servers currently in production already have the patch.
DAMAGE: Remote users can gain root access on an Oracle server.
SOLUTION: Obtain and install patches from Oracle (http://metalink.oracle.com/). Note that you must have an Oracle service account to obtain security patches.
VULNERABILITY
ASSESSMENT:		 The risk is HIGH. Remote users who can send packets to port 1521 on an Oracle 8i server can potentially run arbitrary code on that server.

[Begin Network Associates, Inc., Covert Labs Security Advisory #50]

Vulnerability in Oracle 8i TNS Listener

Network Associates, Inc.
COVERT Labs Security Advisory
June 27, 2001

RISK FACTOR: HIGH

Vulnerable Systems
Vulnerability Overview
Detailed Information
Resolution
Credits
Contact Information
Legal Notice


Synopsis
The Oracle 8i TNS (Transparent Network Substrate) Listener is responsible for establishing and maintaining remote communications with Oracle database services. The Listener is vulnerable to a buffer overflow condition that allows remote execution of arbitrary code on the database server under a security context that grants full control of the database services and, on some platforms, full control of the operating system. Because the buffer overflow occurs prior to any authentication, the listener is vulnerable regardless of any enabled password protection.

This vulnerability has been designated as CVE candidate CAN-2001-499.

RISK FACTOR: HIGH

[ Back to top ]

Vulnerable Systems
Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix.

[ Back to top ]

Vulnerability Overview
Client connection requests to a remote Oracle service are arbitrated by the TNS Listener. The TNS Listener accepts the client request and establishes a TNS (Transparent Network Substrate) data connection between the client and the service. A TNS connection allows clients and servers to communicate over a network via a common API, regardless of the network protocol used on either end (TCP/IP, IPX, etc). The TNS Listener must be running if queries are to be made by remote clients or databases even if the network protocol is the same.

A default installation listens on TCP port 1521.

Listener administration and monitoring can be done by issuing specific commands to the daemon. Typical requests, such as "STATUS", "PING" and "SERVICES" return a summary of listener configuration and connections. Other requests like "TRC_FILE", "SAVE_CONFIG" and "RELOAD" are used to change the configuration of the listener. An exploitable buffer overflow occurs when any of the command's arguments contains a very large amount of data.

The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. Exploitation of this vulnerability will lead to the remote attacker obtaining these respective privileges.

[ Back to top ]

Detailed Information
The overflow can be triggered with a one-packet command conforming to the Net8 protocol. The client will send a Type-1 (NSPTCN) packet containing the proper Net8 headers and malformed command string with embedded arbitrary code ("shellcode"). Although many of the TNS listener's administrative commands can be limited to trusted users by enabling password authentication, this vulnerability can nevertheless be exploited by using unauthenticated commands such as "STATUS". It is important to note that authentication is not enabled by default.

The command string includes several arguments such as "SERVICE", "VERSION", "USER" and "ARGUMENTS". Any of these can be overfilled with data to initiate the overflow. Under both Windows and UNIX platforms, an extended argument of several thousand bytes will induce a stack overflow.

Under Windows, the stack overflow will facilitate the execution of shellcode by manipulating the SEH (Strunctured Exception Handling) mechanism. Since the listener services runs as "LocalSystem", shellcode will be executed in the same security context. Under UNIX, the listener daemon will often be started by the "oracle" user created during installation. If this is the case, the attacker will gain the privileges of the database administrator.

[ Back to top ]

Resolution
Oracle has produced a patch under bug number 1489683 which is available for download from the Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com) for the platforms identified in this advisory. The patch is in production for all supported releases of the Oracle Database Server.

[ Back to top ]

Credits
These vulnerabilities were discovered and documented by Nishad Herath and Brock Tellier of the COVERT Labs at PGP Security.

[ Back to top ]

Contact Information
For more information about the COVERT Labs at PGP Security, visit our website at http://www.pgp.com/research/covert/ or send e-mail to covert@nai.com.

[ Back to top ]

Legal Notice
The information contained within this advisory is Copyright (C) 2001 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.

Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

[ Back to top ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[End Network Associates, Inc., Covert Labs Security Advisory #50]

CIAC wishes to acknowledge the contributions of Network Associates, Inc. for the information contained in this bulletin.

DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/