Oracle Listener control utility (LSNRCTL) format string

oracle-lsnrctl-format-string (9832) The risk level is classified as HighHigh Risk

Description:

Oracle9i Database Server and Oracle8i Database Server are vulnerable to a format string attack. A remote attacker could modify the listener.ora Oracle Net Listener configuration file to contain a malicious format string or supply a malicious format string directly to the Oracle Net Listener control utility (LSNRCTL) to cause the LSNRCTL utility to crash or execute code on the system. An attacker could use this vulnerability to gain complete control over the Oracle DBA's system.

Platforms Affected:

  • Oracle, Database Server 7.3.4
  • Oracle, Database Server 8.1.5
  • Oracle, Database Server 8.1.6
  • Oracle, Database Server 8.1.7
  • Oracle, Database Server 8.1.7.1
  • Oracle, Database Server 8.1.7.4
  • Oracle, Database Server 9.0.1.1 R1
  • Oracle, Database Server 9.0.1.2 R1
  • Oracle, Database Server 9.0.1.3 R1
  • Oracle, Database Server 9.2 R2
  • Oracle, Database Server 9.2.0.1 R2

Remedy:

Apply the appropriate patch for your system or follow the suggested workaround, as listed in Oracle Security Alert #40. See References.

Consequences:

Gain Access

References:

  • NGSSoftware Insight Security Research Advisory #NISR14082002, Oracle Listener Control Format Strings at http://www.ngssoftware.com/advisories/ora-lsnrfmtstr.txt.
  • Oracle Security Alert #40, Oracle Net Listener Vulnerabilities at http://otn.oracle.com/deploy/security/pdf/2002alert40rev1.pdf.
  • BID-5460: Oracle Net Listener Format String Vulnerability
  • CVE-2002-0857: Format string vulnerabilities in Oracle Listener Control utility (lsnrctl) for Oracle 9.2 and 9.0, 8.1, and 7.3.4, allow remote attackers to execute arbitrary code on the Oracle DBA system by placing format strings into certain entries in the listener.ora configuration file.
  • SECTRACK ID: 1005037: Oracle 9i Database Input Validation Bugs in the Oracle Net Listener Lets Remote Authenticated Users Crash the Listener, Denying Service to Database Users
  • US-CERT VU#301059: Oracle TNS Listener Control Utility (LSNRCTL) contains format string vulnerability

Reported:

Aug 14, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page