__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  Oracle PL/SQL EXTPROC Database Vulnerability
                          [Oracle Security Alert #29]

February 27, 2002 20:00 GMT                                       Number M-047
______________________________________________________________________________
PROBLEM:       It is possible for an attacker to fool the Oracle database
               server into loading arbitrary libraries and executing arbitrary
               functions without ever having to authenticate.
PLATFORM:      Platforms: All Unix, Linux, and Windows
               Oracle Database: Oracle9i, Oracle8i, and Oracle8
DAMAGE:        Remote users can execute arbitrary code with privileges of the
               user running Oracle.
SOLUTION:      Apply workaround as prescribed below by Oracle.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. A remote user can execute arbitrary code. 
ASSESSMENT:                                                                   
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-047.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://otn.oracle.com/deploy/security/pdf/
                             plsextproc_alert.pdf 
______________________________________________________________________________

[***** Start Oracle Security Alert #29 *****]

Oracle Security Alert #29

Dated: 06 Feburary 2002

Oracle PL/SQL EXTPROC in Oracle9i Database
Description
There is a potential security vulnerability in the Oracle PL/SQL package for
External Procedures (EXTPROC) in Oracle9i Database.

The EXTPROC functionality is installed by default in the Oracle Database 
installation if the “Typical Installation” option is chosen from the Oracle 
Universal Installer Menu. EXTPROC is used by Oracle’s PL/SQL package to make
calls to the operating system. Utilizing an Oracle Listener configured with a 
TCP protocol address, a knowledgeable and malicious user can write an exploit 
that connects to an Oracle Database server’ s EXTPROC OS process without having 
to authenticate himself. As such, he will be able to make arbitrary calls to 
the underlying OS and potentially gain unauthorized administrative access to 
the machine hosting the Oracle Database server.

Products affected
Oracle Database (Oracle9i, Oracle8i, Oracle8)

Platforms affected
All (Unix, Linux, Windows)

Workarounds
Use the following workarounds for all releases of the Oracle Database server.

If the PL/SQL EXTPROC functionality is not required, it is recommended that 
it be removed from the machine hosting the Oracle Database server. Edit both
$ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA (located in a Unix directory structure
and its equivalent directory in Windows) and 
$ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA (located in a Unix directory structure 
and its equivalent directory in Windows) and remove one of the following entries 
from each of the configuration files, depending upon the OS and the release of 
the Oracle Database server installed:

* icache_extproc, or
* PLSExtproc, or
* extproc

Also, delete the “extproc” executable from the machine hosting the Oracle 
Database server.

If the PL/SQL EXTPROC functionality is required in your Oracle installation, 
there are 5 steps that must be taken in order to protect against the potential 
security vulnerability identified above.

i. Create 2 Oracle Net Listeners, one for the Oracle database and one for 
   PL/SQL EXTPROC.

   Do not specify any EXTPROC specific entries in the configuration files of the
   Oracle Listener for the database.

   Configure the Oracle Listener for PL/SQL EXTPROC with an IPC protocol address
   only.

   If TCP connectivity is required, configure a TCP protocol address, but use a
   port other than the one the Oracle Listener for the database is using. Ensure
   that the Oracle Listener created for PL/SQL EXTPROC runs as an unprivileged
   OS user (e.g., “nobody” on Unix). On Windows platforms, run the Oracle Net
   Listener process as an unprivileged user and not as the Windows LOCAL SYSTEM
   user.

   Give this user the OS privilege to “Logon as a service.”

ii. If you have configured the Oracle Listener for PL/SQL EXTPROC with a TCP
    protocol address, modify the EXTPROC specific entry in 
    $ORACLE_HOME/NETWORK/ADMIN/TNSNAMES.ORA to reflect the correct port for the 
    new Oracle Listener.

iii. If you have configured the Listener for PL/SQL EXTPROC with an TCP protocol 
     address, ensure that the connections to this Oracle Listener can only 
     originate from the hosts that need access to EXTPROC by doing the following.

     Use an Oracle Net feature called “valid node checking” to allow or deny 
     access to Oracle server processes from network clients with specified IP 
     addresses. Set the following parameters in
     $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA
     ($ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle8i and prior releases) to
     enable the valid node checking feature:

     tcp.validnode_checking = YES
     tcp.invited_nodes = {list of IP addresses}
     tcp.excluded_nodes = {list of IP addresses}

     The first parameter turns on the valid node checking feature. The latter two 
     parameters respectively specify the IP addresses that are permitted to make 
     network connections or denied from making network connections to the Oracle 
     server processes.

     Restrict access to the Oracle Listener for PL/SQL EXTPROC only. A separate
     $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA file is required for this Oracle 
     Listener. You can store this file in any directory other than the one in which 
     the database LISTENER.ORA and SQLNET.ORA files are located. Copy the 
     LISTENER.ORA with the configuration of the Oracle Listener for PL/SQL EXTPROC 
     into this other directory as well. Before starting the Oracle Listener for 
     PL/SQL EXTPROC, set the TNS_ADMIN environment variable (or Windows Registry 
     parameter) to specify the directory in which the new configuration files for 
     PL/SQL EXTPROC are stored.

iv. Ensure that the file permissions on separate 
    $ORACLE_HOME/NETWORK/ADMIN/LISTENER.ORA are set at either 640 or 644.

v. Change the password for any privileged database account or an ordinary user 
   given administrative privileges in the database that has the ability to add 
   packages or libraries and access system privileges in the database (such as 
   CREATE ANY LIBRARY) to a strong, meaningful password, different from the 
   default that is provided during the initial installation of Oracle.

   Lock and expire all other accounts that are not being used in the database. 
   Read Section 2 of the “Oracle9i Security Checklist” available on OTN at
   http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf for
   details.

Patch Information
A solution to the potential security vulnerability identified above is being 
worked upon and will be available by default in a future release of Oracle9i 
Database. Check the Oracle Security Alerts web page on OTN at 
http://otn.oracle.com/deploy/security/alerts.htm periodically for an update 
regarding the availability of this solution. All other releases of the Oracle 
Database (up to Oracle9i, Release 9.0.1.x) must continue to use the workaround 
provided above.

Credits
Oracle Corporation thanks David Litchfield of Next Generation Security Software 
Limited for discovering and promptly bringing this potential security 
vulnerability to Oracle’s attention.

[***** End Oracle Security Alert #29 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Oracle Corporation and 
NGSSoftware Ltd. for the information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability
M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability
M-039: Microsoft Telnet Server Buffer Overflow Vulnerability
M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions
M-041: Microsoft Internet Explorer Cumulative Patch
M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers
M-046: Red Hat "ncurses" Vulnerability