[NEWS] Oracle Listener Control Format Strings

From: support@securiteam.com
Date: 08/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 19 Aug 2002 14:31:01 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle Listener Control Format Strings
------------------------------------------------------------------------

SUMMARY

Oracle provides a tool called the Listener Control utility (lsnrctl) to
allow an Oracle DBA to remotely control the Listener. The Listener is
responsible for dealing with client requests for database services. This
control utility contains an indirect remotely exploitable format string
vulnerability.

DETAILS

Vulnerable systems:
 * Oracle 9i, 8i on all platforms

By default, the Oracle Listener is not protected against unauthenticated
access and control. The configuration files of Listeners in such a state
can be modified without the user needing to supply a password. By
modifying certain entries in the listener.ora file, by inserting a format
string exploit, an attacker can gain control of a Listener control
utility. Typically an attack would require the attacker to modify the file
and wait for an Oracle DBA to use the Listener control utility to access
the Listener at which point control over the utility's path of execution
can be gained. This will give the attacker the ability only to gain
control of the DBA's machine and not the database server. This is a
complex attack and requires certain "events" to happen and as such, the
risk is quite low. That said, Oracle users are urged to apply the patch.

Fix Information:
NGSSoftware alerted Oracle to this problem on 13 May 2002. Oracle have
produced a patch and issued an alert. Please see their bulletin for more
details.

 <http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf>
http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf

In the meanwhile NGSSoftware, advises that Oracle DBAs ensure that the
Listener cannot be controlled remotely and anonymously.

There are several steps one can take to secure the Listener and hence
prevent exploitation of this format string vulnerability.

One can set in the listener.ora

ADMIN_RESTRICTIONS_lsnrname=ON

This will prevent modifications to the Listener config files. Further a
password should be set to limit actions a user can take.

ADDITIONAL INFORMATION

The original advisory can be viewed at:
 <http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt>
http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt

The information has been provided by <mailto:david@ngssoftware.com> David
Litchfield.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages