Oracle extproc local command execution (#NISR23122004C)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "Oracle clear text passwords (#NISR2122004D)"
    Date:         Thu, 23 Dec 2004 16:33:51 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g/9i extproc local command execution
    Systems Affected: Oracle 10g/9i on all operating systems
    Severity: Medium Risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR23122004C
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt

    Description
    ***********
    The Oracle database server supports PL/SQL, a programming language. PL/SQL
    can execute external procedures via extproc. Over the past few years there
    has been a number of vulnerabilities in this area:

    http://www.nextgenss.com/advisories/oraplsextproc.txt
    http://www.nextgenss.com/advisories/ora-extproc.txt

    Extproc is intended only to accept requests from the Oracle database server
    but local users can still execute commands bypassing this restriction.

    Details
    *******
    No authentication takes place when extproc is asked to load a library and
    execute a function. This allows local users to run commands as the Oracle
    user (oracle on unix and system on Windows). If configured properly, under
    10g, extproc runs as nobody on *nix systems so the risk posed here is
    minimal but still present.

    Fix Information
    ***************
    Oracle has responded saying this is "expected behaviour" and they are not
    going to fix it. NGSSoftware believes this does pose a security risk.
    NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
    used to assess whether your Oracle servers are vulnerable to this.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: NGSSoftware Insight Security Research: "Oracle clear text passwords (#NISR2122004D)"

    Relevant Pages