In addition to requests for connections, the TNS listener also recognizes a number of commands which can be used to view or change status or configuration information about the listener itself. Some of these commands can be restricted such that they can only be used by authenticated users, but others cannot.
One capability of the Oracle TNS listener is the ability to call functions from libraries on the operating system. The listener communicates with another process, called External Procedures (EXTPROC), which is responsible for loading the library and calling the function. The listener communicates with EXTPROC using a named pipe, which is an inter-process communication mechanism which is local to the system.
6/25/02
Due to a buffer overflow condition, a remote attacker could
overwrite the saved return address and take control of
the process execution by sending a long, specially crafted
SERVICE_NAME parameter to the TNS Listener.
Oracle 9.0.x on Windows or VM platforms, and Oracle 8.0.6.x
on VM platforms are affected by this vulnerability.
2/19/02
CVE 2002-0567
The Oracle listener does not require any authentication from
entities requesting a library function call. Therefore,
an attacker can claim to be an Oracle process and call a
function such as system() which allows the
execution of arbitrary system commands. Furthermore, it is
possible to force the listener to communicate with the EXTPROC
process using sockets instead of named pipes, thus allowing
the vulnerability to be exploited remotely over a TCP connection.
Oracle 8 and 9 on any platform are affected by this vulnerability.
7/19/01
CAN 2001-0499
A buffer overflow condition in the processing of commands
could allow an attacker to execute arbitrary code on the
server by sending a command with a very long argument.
Since there are some commands that never require authentication
this vulnerability can be exploited remotely. On a Windows
or Unix server, the vulnerability could allow an attacker
to execute commands on the underlying operating system with
the privileges of the TNS listener service, which by default is
LocalSystem on Windows and oracle on Unix.
Any system running Oracle 8i with the TNS listener service enabled which has not been patched is affected by this vulnerability.
If the patches cannot be applied immediately, the potential for exploitation can be mitigated by filtering TCP port 1521 at the network perimeter and by using the Valid Node Checking feature to restrict access to the listener. To use the Valid Node Checking feature, enable it in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA (or $ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle 8i), and specify which IP addresses to allow and deny. For example, to allow 192.168.255.1 and deny 192.168.255.2 and 192.168.255.3, add the following lines:
tcp.validnode_checking = YES tcp.invited_nodes = (192.168.255.1) tcp.excluded_nodes = (192.168.255.2, 192.168.255.3)
For more information about the SERVICE_NAME buffer overflow, see Oracle Security Alert #34 and NGSSoftware Advisory #NISR12062002A.
For more information about the EXTPROC vulnerability, see Oracle Security Alert #29 and NGSSoftware Advisory #NISR06022002A.
For more information about the buffer overflow vulnerability, see CERT Advisory 2001-16 and the COVERT Labs Security Advisory.