Oracle ISQLPlus file access vulnerability (#NISR2122004E)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "Oracle TNS Listener DoS (#NISR2122004F)"
    Date:         Thu, 23 Dec 2004 16:35:28 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Oracle ISQL*Plus load.uix file access
    Systems Affected: Oracle 10g AS on all operating systems
    Severity: Medium
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR2122004E
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004E.txt

    Description
    ***********
    The 10g Oracle Application Server installs ISQL*Plus. Once logged in, an
    attacker can use load.uix to read files on the server.

    Details
    *******
    From isqlplus it is possible to load a script and execute it. On navigating
    to http://server:5560/isqlplus/load.uix two input boxes are displayed - one
    called "URL" and the other "File". By entering in a full path an attacker
    can load and read any file that the oracle user can read. For example
    "/etc/passwd" on Linux or "C:\boot.ini" on windows. An attacker can read the
    the files mentioned in #NISR2122004D to gain the privileges of SYSMAN.

    Fix Information
    ***************
    A patch (#68) was released for this problem by Oracle. See
    http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
    (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
    your Oracle servers are vulnerable to this.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: NGSSoftware Insight Security Research: "Oracle TNS Listener DoS (#NISR2122004F)"

    Relevant Pages