Oracle vulnerabilities
Updated 2/20/03
CAN 1999-0652
CAN 2001-1216
CAN 2001-1217
CAN 2002-0559
CAN 2002-0562
CAN 2002-0565
CAN 2002-0842
CAN 2003-0095
CAN 2003-0096
Impact
A remote user could execute arbitrary SQL commands, execute
arbitrary operating system commands, or gain
unauthorized access to pages which should be restricted.
Background
The Oracle Internet Application Server (iAS)
integrates the capabilities of the Oracle database and Application
Server into a web-based service which is accessible from an
HTTP browser.
The PL/SQL module allows remote users to call procedures exported
by a PL/SQL package stored in the server. The latest version
of iAS also includes support for Web-based Distributed
Authoring and Versioning (WebDAV), which allows multiple
remote users to edit and manage files on the server.
The Problem
There are several possible vulnerabilities in iAS:
- 2/20/03
CAN 2003-0095
CAN 2003-0096
Multiple buffer overflows and format string vulnerabilities
in Oracle 8 Database version 8.0.6, Oracle 8i Database
version 8.1.7, Oracle 9i Database release 1 and 2, and
Oracle 9i Application Server release 9.0.2 and 9.0.3 could
allow a remote attacker to execute arbitrary commands
on the underlying operating system. Exploitation of most
of these vulnerabilities would require an attacker to know
a valid login and password, but vulnerabilities in the
Database Server authentication process and WebDAV could
be exploited without a login and password.
- 12/27/02
Vulnerabilities in Oracle 9i Application Server could allow
disclosure of Java Server Page (.jsp) files
or the contents of the WEB-INF directory.
This could reveal information which could be useful to an
attacker.
- 2/12/02
CAN 2002-0559
Multiple buffer overflows in the PL/SQL module could allow
a remote attacker to execute arbitrary commands by sending
long, specially crafted input in various HTTP header fields
or form parameters.
- 12/26/01
CAN 2001-1216
A remote attacker could execute arbitrary commands or crash the
service by sending a very long request for a help page. Normally,
a valid login name and password are required to access any pages
under the admin_ directory, but this is not the
case for help pages, allowing exploitation of this vulnerability
without authentication.
- 12/26/01
CAN 2001-1217
By requesting a help file containing character strings which
have been URL encoded twice, it is possible for a remote attacker
to escape from the web root and view arbitrary files on the server.
Oracle iAS is only affected by this vulnerability when running
on Windows platforms.
- 12/27/02
Oracle 9i version 1.0.2.2 for Windows sets file permissions
to Everyone: Full Control by default. These
permissions could allow unauthorized local users to modify
or delete files.
- 2/19/02
CAN 2002-0562
CAN 2002-0565
Whenever a JSP page is requested, Oracle translates,
compiles, and executes the page, creating three temporary files in the _pages
directory in the process.
These temporary files have predictable file names and can be accessed remotely.
Furthermore, these temporary files contain, among other data, the source
code of the original JSP file, which could
reveal user IDs, passwords, and
other sensitive information. Similarly, the globals.jsa file,
if unprotected, could be used by a remote attacker to view sensitive information.
- 12/29/00
If the Portal Listener and modplsql are installed without
changing the default configuration, any user can access
the administrative pages for those services.
- 12/29/00
If public access is granted to PL/SQL procedures
which access an Oracle database, it may be possible to
request from the web server a URL which accesses these procedures.
If this is the case, then unauthorized SQL statements could be
executed on a back-end Oracle database.
Resolution
Upgrade to Oracle 9i Application Server 9.0.3 and Oracle
9i Database Server 9.2.0.3
if possible, and download
and install patch number 2602262. If it is not possible to
upgrade,
download and install
patch numbers 2128936, 2209455, 2602262, 2620726, 2642117, 2642267, and 2642439, and use the workarounds below.
For Oracle 9i Application Server version 1.0.2.2 for Windows,
if NTFS filesystems are in use, allow control of the
Oracle home directory and all of its subdirectories only to the
Administrators group.
To prevent remote users from viewing sensitive information in JSP
pages or the globals.jsa file, enable access controls for the _pages
directory and the globals.jsa file in the JSP sub-application's httpd.conf
file, as described in Oracle Security
Alert #28, item 2.
To enable access control on the Portal Listener and modplsql
services, modify the wdbsvr.app file
on WebDB/Portal so that the administrators variable
is set to one or more users who are allowed administrator level access.
Also, it is a good idea to change the path name which is used
to access the administrative pages, which is /pls/admin_/gateway.htm
by default.
There are two approaches to working around the last vulnerability.
The first is to revoke public access to procedures which can
potentially execute SQL commands, such as OWA, SYS, and DBMS.
For modplsql, a second approach is to deny access to all URLs
except those for procedures which have a legitimate reason to be called through
the web interface. This can be done by modifying the plsql.conf
file. An example of a rule which denies access to all procedures
under the pls directory is the following:
<Location /pls/*/*>
SetHandler pls_handler
Order deny,allow
Deny from all
</Location>
Also, users should download and
install patch 1554571
to Internet Application Server 1.0.2.0. (Later versions will include
the patch.) This patch introduces a new configuration parameter, exclusion_list,
which can be used to prevent special characters from being passed to
mod_plsql.
Where can I read more about this?
For more information see Bugtraq postings
153010,
153186,
155881, and
246663,
CERT Advisories
2002-08 and
2003-05,
CIAC Bulletin
M-037,
NGSSoftware Advisories
#NISR06022002C,
#NISR16022003A,
#NISR16022003B,
#NISR16022003C,
#NISR16022003D, and
#NISR16022003E, and
Oracle Security Alerts
25,
28,
47,
48,
49,
50,
51, and
52.