|CERT-In Vulnerability Note
Buffer Overflows in EXTPROC of Oracle Database Server
Original Issue Date:July 26, 2003
Severity Rating: LOW
. Oracle9i Release 2
. Oracle9i Release 1
. Oracle8i (8.1.x - all releases )
Oracle provides a method of calling functions outside of the database by creating external procedure servers. This feature extends Oracle's functionality and is very useful. However, if access to send commands to these external procedure servers is not properly restricted, anonymous users can gain control of the operating system. A malicious attacker can write an exploit to have an access to the underlying operating system calls giving unauthorized administrative access to the Oracle Database Server.
This flaw in an organization's database server could allow an attacker to execute code against the system. The main concern with this type of an attack is that a company insider could gain a higher level of privilege on the server.
The reason for having low security threat is because the process requires CREATE LIBRARY or CREATE ANY Library privilege.
An earlier vulnerability in Oracle package allowed an attacker to force extproc to load any operating system library and execute any function. Oracle fixed up this bug logging the attempts to load libraries unless the call came from the local machine. Remote attempts were logged but this led to classic stack based buffer overflow vulnerability. By supplying a long library name a stack based buffer is overflowed, overwriting the saved return address on the stack. When the vulnerable procedure returns, control over the process' path of execution can be gained. As this does not require a user ID or password it must be stressed that this is a critical vulnerability. On Windows platforms Oracle typically runs in the security context of the LOCAL SYSTEM account and, as such, allows for a complete compromise of the server. On Unix-based systems extproc runs as the 'Oracle' user. As the 'Oracle' user typcially is the owner of the software binaries and data files, an attacker exploiting this can completely subvert the integrity of the database software and data.
- Remove EXTPROC functionality if not needed by editing
located in a Unix directory structure and its equivalent directory in Windows & $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA
located in a Unix directory structure and its equivalent directory in Windows
- The following entries should be removed from each of the configuration files, depending upon the OS and the release of the Oracle Database server installed:
* icache_extproc, or
* PLSExtproc, or
- If the PL/SQL EXTPROC functionality is required, the following steps must be taken in order to protect against the potential security vulnerability identified above.
a Create 2 Oracle Net Listeners, one for the Oracle database and one for
PL/SQL EXTPROC. No EXTPROC specific entries in the configuration files of the Oracle Listener for the database should be specifie.
b Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol
address only. If TCP connectivity is required, configure a TCP protocol address, but use a port other than the one the Oracle Listener for the database is using.
c Ensure that the Oracle Listener created for PL/SQL EXTPROC runs as an
unprivileged OS user e.g., "nobody" on Unix . On Windows platforms, run the
Oracle Net Listener process as an unprivileged user and not as the Windows
LOCAL SYSTEM user.
Apply the appropriate patch available at http://metalink.oracle.com.
Check http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf for finding the appropriate patch number for relevant application.
Appropriate testing and backups should be performed before applying any of these patches.
Oracle Security Alert 57 Dated: July 23, 2003.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003