From xforce@iss.net Wed Oct 25 14:51:11 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 25 Oct 2000 12:23:55 -0400 (EDT) Subject: ISSalert: Internet Security Systems Security Advisory: Vulnerability in the Oracle Listener Program TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory October 25, 2000 Vulnerability in the Oracle Listener Program Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in the listener program in Oracle Enterprise Server. It is possible for a remote attacker to gain access to the Oracle owner operating system account and the Oracle database, and to execute code in various operating systems. Affected Products and Releases: Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all platforms. Description: The Oracle listener program accepts remote commands from remote listener controllers. If configured properly, a password is required to authenticate a user before issuing a listener command. The default Oracle installation does not allow a password for the listener program to be indicated. If a password has not been set, the Oracle listener program can be configured to append log information to a file. Due to a problem with the SET TRC_FILE and SET LOG_FILE commands, these values can be changed to any file name. This allows an attacker to create a new file or corrupt an existing file. The information logged by the listener program can be specified by an attacker by sending a specially formed connect packet to the listener. This logged information can be changed to include commands and escape characters, allowing an attacker to gain access to an operating system account. Recommendations: Oracle recommends that customers download the patches for this vulnerability from Oracle's Worldwide Support Services website http://metalink.oracle.com. Customers can reference generic bug number 1361722 filed against the listener program. Customers will also find a security alert for this issue on the Oracle Technology Network at the following URL: http://otn.oracle.com/deploy/security/alerts.htm ISS SAFEsuite security assessment software, Database Scanner, currently determines if a password is indicated for the listener and how strong the password is. An upcoming release of Database Scanner will be updated to determine if the Oracle patch has been applied. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0818 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Ben Layer and Aaron Newman of Internet Security Systems. ISS would like to thank Oracle for their response and handling of this vulnerability About Internet Security Systems (ISS) Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global provider of security management solutions for the Internet. By combining best of breed products, security management services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security advisor for thousands of organizations around the world looking to protect their mission critical information and networks. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOfb6vzRfJiV99eG9AQGPKQP/Qph7vRRg5Efk0vXyq5XQIrg40Iuy8uBf t5dHjxSR/X0fihr3MOaTyf82IoIn+FF/5f4ltOGBSHZj9b7C+IeFIONf0SOwiuoo z8oxKvc+pKj9IPcQSG1qKArspsYJDDpTf2t4o9u3m1/pOQ+wJ/trbYJ7ugi3/9Yc pZy+SLut1Z0= =0/aS -----END PGP SIGNATURE-----