ISS X-Force Database: oracle-plsql-remote-access(8089): Oracle PL/SQL external procedure could allow execution of any library function

Oracle PL/SQL external procedure could allow execution of any library function

oracle-plsql-remote-access (8089)

High Risk

Description:

Oracle database servers could allow a remote attacker to gain unauthorized access to the server, caused by a failure to implement any type of authentication when a PL/SQL package is required to run an external procedure. When a PL/SQL package is required to run an external procedure, the Oracle Listener loads the relevant library into a new process space - either extproc for Unix or extproc.exe for Windows. The Oracle database then connects to this process using named pipes. This vulnerability could allow a remote attacker to act as an Oracle process and execute any function in any library on the system and pass arbitrary system commands as parameters to these functions, which would be executed on Unix systems with Oracle user privileges or on Windows systems with SYSTEM privileges.

Platforms Affected:

Oracle, Database Server 8.0.1
Oracle, Database Server 8.0.2
Oracle, Database Server 8.0.3
Oracle, Database Server 8.0.4
Oracle, Database Server 8.0.5
Oracle, Database Server 8.0.5.0.0 Enterprise
Oracle, Database Server 8.0.5.1
Oracle, Database Server 8.0.6
Oracle, Database Server 8.0.6.0.0 Enterprise
Oracle, Database Server 8.0.6.0.1 Enterprise
Oracle, Database Server 8.1.5
Oracle, Database Server 8.1.5.0.0 Enterprise
Oracle, Database Server 8.1.5.0.2 Enterprise
Oracle, Database Server 8.1.5.1.0 Enterprise
Oracle, Database Server 8.1.6
Oracle, Database Server 8.1.6.0.0 Enterprise
Oracle, Database Server 8.1.6.1.0 Enterprise
Oracle, Database Server 8.1.7
Oracle, Database Server 8.1.7.0.0 Enterprise
Oracle, Database Server 8.1.7.0.0
Oracle, Database Server 8.1.7.1
Oracle, Database Server 8.1.7.1.0 Enterprise
Oracle, Database Server 8.1.7.4
Oracle, Database Server 9.0
Oracle, Database Server 9.0.1

Remedy:

No remedy available as of September 13, 2008.

Consequences:

Gain Access

References:

CERT Advisory CA-2002-08, Multiple vulnerabilities in Oracle Servers at http://www.cert.org/advisories/CA-2002-08.html.
CIAC Information Bulletin M-047, Oracle PL/SQL EXTPROC Database Vulnerability at http://www.ciac.org/ciac/bulletins/m-047.shtml.
NGSSoftware Insight Security Research Advisory #NISR06022002A, Oracle Remote Compromise at http://www.nextgenss.com/advisories/oraplsextproc.txt.
Oracle Security Alert #29, Oracle PL/SQL EXTPROC in Oracle9i Database at http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf.
BID-4033: Oracle TNS Listener Arbitrary Library Call Execution Vulnerability
CVE-2002-0567: Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process.
US-CERT VU#180147: Oracle 9i Database Server PL/SQL module allows remote command execution without authentication

Reported:

Feb 06, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page