[VulnWatch] Oracle extproc local command execution (#NISR23122004C)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Oracle clear text passwords (#NISR2122004D)"
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <ntbugtraq@listserv.ntbugtraq.com>
    Date: Thu, 23 Dec 2004 16:33:51 -0000

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g/9i extproc local command execution
    Systems Affected: Oracle 10g/9i on all operating systems
    Severity: Medium Risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR23122004C
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt

    The Oracle database server supports PL/SQL, a programming language. PL/SQL
    can execute external procedures via extproc. Over the past few years there
    has been a number of vulnerabilities in this area:


    Extproc is intended only to accept requests from the Oracle database server
    but local users can still execute commands bypassing this restriction.

    No authentication takes place when extproc is asked to load a library and
    execute a function. This allows local users to run commands as the Oracle
    user (oracle on unix and system on Windows). If configured properly, under
    10g, extproc runs as nobody on *nix systems so the risk posed here is
    minimal but still present.

    Fix Information
    Oracle has responded saying this is "expected behaviour" and they are not
    going to fix it. NGSSoftware believes this does pose a security risk.
    NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
    used to assess whether your Oracle servers are vulnerable to this.

    About NGSSoftware
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security


    Telephone +44 208 401 0070
    Fax +44 208 401 0076


  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Oracle clear text passwords (#NISR2122004D)"