INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | It is possible for an attacker to fool the Oracle database server into loading arbitrary libraries and executing arbitrary functions without ever having to authenticate. |
| PLATFORM: | Platforms: All Unix, Linux, and Windows Oracle Database: Oracle9i, Oracle8i, and Oracle8 |
| DAMAGE: | Remote users can execute arbitrary code with privileges of the user. |
| SOLUTION: | Apply workaround as prescribed below by Oracle. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. A remote user can execute arbitrary code. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/m-047.shtml |
| ORIGINAL BULLETIN: | http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf |
[***** Start Oracle Security Alert #29 *****]
Oracle Security Alert #29
Dated: 06 Feburary 2002
Oracle PL/SQL EXTPROC in Oracle9i Database
Description
There is a potential security vulnerability in the Oracle PL/SQL package for
External Procedures (EXTPROC) in Oracle9i Database.
The EXTPROC functionality is installed by default in the Oracle Database
installation if the “Typical Installation” option is chosen from the Oracle
Universal Installer Menu. EXTPROC is used by Oracle’s PL/SQL package to make
calls to the operating system. Utilizing an Oracle Listener configured with a
TCP protocol address, a knowledgeable and malicious user can write an exploit
that connects to an Oracle Database server’ s EXTPROC OS process without having
to authenticate himself. As such, he will be able to make arbitrary calls to
the underlying OS and potentially gain unauthorized administrative access to
the machine hosting the Oracle Database server.
Products affected
Oracle Database (Oracle9i, Oracle8i, Oracle8)
Platforms affected
All (Unix, Linux, Windows)
Workarounds
Use the following workarounds for all releases of the Oracle Database server.
If the PL/SQL EXTPROC functionality is not required, it is recommended that
it be removed from the machine hosting the Oracle Database server. Edit both
$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA (located in a Unix directory structure
and its equivalent directory in Windows) and
$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA (located in a Unix directory structure
and its equivalent directory in Windows) and remove one of the following entries
from each of the configuration files, depending upon the OS and the release of
the Oracle Database server installed:
* icache_extproc, or
* PLSExtproc, or
* extproc
Also, delete the “extproc” executable from the machine hosting the Oracle
Database server.
If the PL/SQL EXTPROC functionality is required in your Oracle installation,
there are 5 steps that must be taken in order to protect against the potential
security vulnerability identified above.
i. Create 2 Oracle Net Listeners, one for the Oracle database and one for
PL/SQL EXTPROC.
Do not specify any EXTPROC specific entries in the configuration files of the
Oracle Listener for the database.
Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address
only.
If TCP connectivity is required, configure a TCP protocol address, but use a
port other than the one the Oracle Listener for the database is using. Ensure
that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged
OS user (e.g., “nobody” on Unix). On Windows platforms, run the Oracle Net
Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM
user.
Give this user the OS privilege to “Logon as a service.”
ii. If you have configured the Oracle Listener for PL/SQL EXTPROC with a TCP
protocol address, modify the EXTPROC specific entry in
$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for the
new Oracle Listener.
iii. If you have configured the Listener for PL/SQL EXTPROC with an TCP protocol
address, ensure that the connections to this Oracle Listener can only
originate from the hosts that need access to EXTPROC by doing the following.
Use an Oracle Net feature called “valid node checking” to allow or deny
access to Oracle server processes from network clients with specified IP
addresses. Set the following parameters in
$ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA
($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases) to
enable the valid node checking feature:
tcp.validnode_checking = YES
tcp.invited_nodes = {list of IP addresses}
tcp.excluded_nodes = {list of IP addresses}
The first parameter turns on the valid node checking feature. The latter two
parameters respectively specify the IP addresses that are permitted to make
network connections or denied from making network connections to the Oracle
server processes.
Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate
$ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle
Listener. You can store this file in any directory other than the one in which
the database LISTENER.ORA and SQLNET.ORA files are located. Copy the
LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC
into this other directory as well. Before starting the Oracle Listener for
PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry
parameter) to specify the directory in which the new configuration files for
PL/SQL EXTPROC are stored.
iv. Ensure that the file permissions on separate
$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.
v. Change the password for any privileged database account or an ordinary user
given administrative privileges in the database that has the ability to add
packages or libraries and access system privileges in the database (such as
CREATE ANY LIBRARY) to a strong, meaningful password, different from the
default that is provided during the initial installation of Oracle.
Lock and expire all other accounts that are not being used in the database.
Read Section 2 of the “Oracle9i Security Checklist” available on OTN at
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf for
details.
Patch Information
A solution to the potential security vulnerability identified above is being
worked upon and will be available by default in a future release of Oracle9i
Database. Check the Oracle Security Alerts web page on OTN at
http://otn.oracle.com/deploy/security/alerts.htm periodically for an update
regarding the availability of this solution. All other releases of the Oracle
Database (up to Oracle9i, Release 9.0.1.x) must continue to use the workaround
provided above.
Credits
Oracle Corporation thanks David Litchfield of Next Generation Security Software
Limited for discovering and promptly bringing this potential security
vulnerability to Oracle’s attention.
[***** End Oracle Security Alert #29 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/