| VID |
25031 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Database server, according to its version number, has Buffer Overflow vulnerabilities in the EXTPROC facility.
Oracle's RDBMS, a leading database server package, supports stored packages and procedures through the use of PL/SQL. These packages and procedures can be extended by allowing calls to be made to operating system libraries. Any library loaded in this way is done so by a process external to the main RDBMS, namely extproc. Extproc is vulnerable to a classic stack based buffer overflow. This can be exploited remotely by an attacker. No user ID or password is necessary. By issuing a specially-crafted long library name, a remote unauthenticated attacker can cause a buffer overrun and cause the affected Oracle Database server to shut down and execute attacker's code in the security context of the Oracle Database server. On Windows platforms Oracle typically runs in the security context of the LOCAL SYSTEM account and, as such, allows for a complete compromise of the server. On Unix-based systems extproc runs as the 'Oracle' user.
* Note: This check, in case of being enabled the Extproc facility, solely relied on the version number of the remote Oracle Database server to assess this vulnerability, so this might be a false positive.
* References:
http://www.nextgenss.com/advisories/ora-extproc.txt
http://archives.neohapsis.com/archives/bugtraq/2003-07/0347.html
http://www.ciac.org/ciac/bulletins/n-127.shtml
* Platforms Affected:
Oracle9i Database Release 2 and 1, 8i
Oracle8i Database
Most OS platforms |
| Recommendation |
Use the following workarounds for all releases previous to Oracle9i Database Server Release 9.2.0.2. Apply these workarounds on all releases of the Oracle Database Server if you do not intend to apply the available patch (see Patch Availability Matrix below).
Workarounds:
If the PL/SQL EXTPROC functionality is not required, it is recommended that it be removed from the machine hosting the Oracle Database Server. Edit both $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA and $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA (located in a Unix directory structure and its equivalent directory in Windows) and remove one of the following entries from each of the configuration files, depending upon the OS and the release of the Oracle Database Server installed:
- icache_extproc
- PLSExtproc
- extproc
Also, delete the iextproci executable from the machine hosting the Oracle Database Server.
-- OR --
It the version of the affected Oracle Database Server is Oracle 9i Database Release 2, apply an interim (one-off) patch for this vulnerability, as listed below:
- Oracle 9i Database Release 2, version 9.2.0.3
- Oracle 9i Database Release 2, version 9.2.0.2
Oracle has stated that currently, due to architectural constraints, there are no plans to release a patch for versions 9.0.1.4, 8.1.7.4, 8.1.6.x, 8.1.5.x, 8.0.6.3, 8.0.5.x, 7.3.x, or other patchsets of the supported releases.
This one-off patch is available from the Oracle Support Services web site, Metalink ( http://metalink.oracle.com ).
o Patch Availability Matrix released as Security Alert 57:
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf |
| Related URL |
CVE-2003-0634 (CVE) |
| Related URL |
8267 (SecurityFocus) |
| Related URL |
12721 (ISS) |
|
