Tutorial - Oracle TNS Listener

Oracle TNS Listener

Updated 8/13/02
CAN 2001-0499
CVE 2002-0567
CVE 2002-0856

Impact

A remote user could create a denial of service or execute arbitrary commands on the underlying operating system with LocalSystem privileges on a Windows system or oracle privileges on a Unix system.

Background

The Transparent Network Substrate (TNS) listener, also known as the SQL*NET listener, is a service which establishes and maintains connections with Oracle database services. When it receives a request from a client, the TNS listener establishes a connection between the client and server over a transparent network substrate, which allows communication regardless of the network protocol being used by either system. For example, a client which uses IPX could communicate with a server using TCP/IP over the transparent network substrate.

In addition to requests for connections, the TNS listener also recognizes a number of commands which can be used to view or change status or configuration information about the listener itself. Some of these commands can be restricted such that they can only be used by authenticated users, but others cannot.

One capability of the Oracle TNS listener is the ability to call functions from libraries on the operating system. The listener communicates with another process, called External Procedures (EXTPROC), which is responsible for loading the library and calling the function. The listener communicates with EXTPROC using a named pipe, which is an inter-process communication mechanism which is local to the system.

The Problem

8/13/02
CVE 2002-0856
A flaw in the debugging mechanism in Oracle 9i could allow a remote attacker to crash the SQL*NET listener by sending it a specially crafted request. After an attack, the listener would not respond to any requests until it is manually restarted. Oracle 9.0.x and 9.2 on all platforms are affected by this vulnerability.

6/25/02
Due to a buffer overflow condition, a remote attacker could overwrite the saved return address and take control of the process execution by sending a long, specially crafted SERVICE_NAME parameter to the TNS Listener. Oracle 9.0.x on Windows or VM platforms, and Oracle 8.0.6.x on VM platforms are affected by this vulnerability.

2/19/02
CVE 2002-0567
The Oracle listener does not require any authentication from entities requesting a library function call. Therefore, an attacker can claim to be an Oracle process and call a function such as system() which allows the execution of arbitrary system commands. Furthermore, it is possible to force the listener to communicate with the EXTPROC process using sockets instead of named pipes, thus allowing the vulnerability to be exploited remotely over a TCP connection.

Oracle 8 and 9 on any platform are affected by this vulnerability.

7/19/01
CAN 2001-0499
A buffer overflow condition in the processing of commands could allow an attacker to execute arbitrary code on the server by sending a command with a very long argument. Since there are some commands that never require authentication this vulnerability can be exploited remotely. On a Windows or Unix server, the vulnerability could allow an attacker to execute commands on the underlying operating system with the privileges of the TNS listener service, which by default is LocalSystem on Windows and oracle on Unix.

Any system running Oracle 8i with the TNS listener service enabled which has not been patched is affected by this vulnerability.

Resolution

Patches are being made available from OracleMetaLink. The flaw in the debugging mechanism is fixed by patch number 2467947. The buffer overflows in SERVICE_NAME and command processing are fixed by patch numbers 2367681 and 1489683, respectively. Check Oracle Security Alert #29 for the patch number for the EXTPROC vulnerability, or for workaround instructions if the patch is not yet available.

If the patches cannot be applied immediately, the potential for exploitation can be mitigated by filtering TCP port 1521 at the network perimeter and by using the Valid Node Checking feature to restrict access to the listener. To use the Valid Node Checking feature, enable it in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA (or $ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle 8i), and specify which IP addresses to allow and deny. For example, to allow 192.168.255.1 and deny 192.168.255.2 and 192.168.255.3, add the following lines:

tcp.validnode_checking = YES
tcp.invited_nodes = (192.168.255.1)
tcp.excluded_nodes = (192.168.255.2, 192.168.255.3)

Where can I read more about this?

For more information about the flaw in the debugging mechanism, see Oracle Security Alert #38.

For more information about the SERVICE_NAME buffer overflow, see Oracle Security Alert #34 and NGSSoftware Advisory #NISR12062002A.

For more information about the EXTPROC vulnerability, see Oracle Security Alert #29 and NGSSoftware Advisory #NISR06022002A.

For more information about the buffer overflow vulnerability, see CERT Advisory 2001-16 and the COVERT Labs Security Advisory.