| VID |
12028 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Net Listener is vulnerable to a buffer overflow attack via a long SERVICE_NAME parameter.
The Listener listens on a TCP port (generally 1521) for client requests to use the database. On receiving a request the client is passed off to an instance of the database. The request, packaged in a valid TNS packet is of the form:
(DESCRIPTION=(ADDRESS=
(PROTOCOL=TCP)(HOST=x.x.x.x)
(PORT=1521))(CONNECT_DATA=
(SERVICE_NAME=myorcl.ngssoftware.com)
(CID=
(PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
(HOST=foo)(USER=bar))))
By supplying an overly long SERVICE_NAME parameter, a remote attacker can overflow the buffer and execute arbitrary code on the system in the context of the Local SYSTEM account on Windows platforms. This is the result of an error in logging an oversized SERVICE_NAME received as part of a TNS packet. Because the overflow occurs before the error message is actually written to the log file it may be difficult to detect if an attack has occurred.
* Platforms Affected:
Oracle Any Version, prior to Oracle9i release 2
* References:
http://www.securityfocus.com/bid/4845
http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf |
| Recommendation |
This vulnerability occurs for all versions of Oracle running prior to Oracle9i release 2. Patches are available for Oracle 9.0.1 (patch number 2367681) on Windows and for Oracle 8.0.6.x (patch number 2303242) on VM. No patch is yet available for the other platforms and older versions of the listener.
Download currently available patches from Oracle Worldwide Support web site, Metalink, http://metalink.oracle.com. Activate the "Patches" button to get to the patches Web page. Enter the patch number as indicated above and activate the "Submit" button.
-- OR --
Upgrade the listener to Oracle9i Release 2. Installing or upgrading only needs to be done on the listener, not necessarily on the database.
-- OR --
Not all versions of Oracle have been patched. If a patch is not available for your version of the listener, you should take actions to restrict who can access the listener. One method of limiting access is to restrict the IP addresses that are allowed to connect to the listener. This can be controlled by setting the validnode_checking parameter in the protocol.ora file to restrict access to an Oracle database based on network address. The protocol.ora file is located in $ORACLE_HOME/network/admin on UNIX and ORACLE_HOME\network\admin on Windows platforms, or in the directory specified by the TNS_ADMIN environment variable or registry value.
tcp.validnode_checking = YES
tcp.invited_nodes= (webserver.appsecinc.com, 192.168.1.110)
tcp.excluded_nodes= (attackers.com, 144.25.5.25, 234.12.3.12)
The first line enables this features. The invited nodes is a list of the hosts, either DNS name or IP address, that are allowed to connect. The excluded nodes is a list of hosts that are not allowed to connect to the database.
Note that the tcp.invited_nodes parameter takes precedence over the tcp.excluded_nodes parameter if both lists are present.
This solution is still not perfect since you can not include a list of all the addresses that should not access your database, and maintaining the list of allowed users would involve a significant amount of administrative work. Also note that spoofing IP addresses, which is very possible although does require some hacking skills, makes this security feature unreliable. If you must use this solution, it is recommended that your database be behind a firewall. |
| Related URL |
CVE-2002-0965 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
