Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Vulnerability NotesPrint
point
CERT-In Vulnerability Note CIVN-2003-0004
Buffer Overflows in EXTPROC of Oracle Database Server

Original Issue Date:July 26, 2003

Severity Rating: LOW

Systems Affected

. Oracle9i Release 2
. Oracle9i Release 1
. Oracle8i (8.1.x - all releases )

Overview

Oracle provides a method of calling functions outside of the database by creating external procedure servers. This feature extends Oracle's functionality and is very useful. However, if access to send commands to these external procedure servers is not properly restricted, anonymous users can gain control of the operating system. A malicious attacker can write an exploit to have an access to the underlying operating system calls giving unauthorized administrative access to the Oracle Database Server.

Impact

This flaw in an organization's database server could allow an attacker to execute code against the system. The main concern with this type of an attack is that a company insider could gain a higher level of privilege on the server.

Description

The reason for having low security threat is because the process requires CREATE LIBRARY or CREATE ANY Library privilege. An earlier vulnerability in Oracle package allowed an attacker to force extproc to load any operating system library and execute any function. Oracle fixed up this bug logging the attempts to load libraries unless the call came from the local machine. Remote attempts were logged but this led to classic stack based buffer overflow vulnerability. By supplying a long library name a stack based buffer is overflowed, overwriting the saved return address on the stack. When the vulnerable procedure returns, control over the process' path of execution can be gained. As this does not require a user ID or password it must be stressed that this is a critical vulnerability. On Windows platforms Oracle typically runs in the security context of the LOCAL SYSTEM account and, as such, allows for a complete compromise of the server. On Unix-based systems extproc runs as the 'Oracle' user. As the 'Oracle' user typcially is the owner of the software binaries and data files, an attacker exploiting this can completely subvert the integrity of the database software and data.



Workaround

  1. Remove EXTPROC functionality if not needed by editing
    $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA
    located in a Unix directory structure and its equivalent directory in Windows & $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA
    located in a Unix directory structure and its equivalent directory in Windows
  2. The following entries should be removed from each of the configuration files, depending upon the OS and the release of the Oracle Database server installed:
    * icache_extproc, or
    * PLSExtproc, or
    * extproc
  3. If the PL/SQL EXTPROC functionality is required, the following steps must be taken in order to protect against the potential security vulnerability identified above.

    a Create 2 Oracle Net Listeners, one for the Oracle database and one for
    PL/SQL EXTPROC. No EXTPROC specific entries in the configuration files of the Oracle Listener for the database should be specifie.

    b Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol
    address only. If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using.

    c Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an
    unprivileged OS user e.g., "nobody" on Unix . On Windows platforms, run the
    Oracle Net Listener process as an unprivileged user and not as the Windows
    LOCAL SYSTEM user.

Solution

Apply the appropriate patch available at http://metalink.oracle.com. Check http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf for finding the appropriate patch number for relevant application.

Appropriate testing and backups should be performed before applying any of these patches.

Vendor Information

Oracle
Oracle Security Alert 57 Dated: July 23, 2003.
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf

References

Oracle
http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf

NGSSoftware Ltd.
http://www.nextgenss.com/advisories/ora-extproc.txt

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025