{"vuid":"VU#180147","idnumber":"180147","name":"Oracle 9i Database Server PL/SQL module allows remote command execution without authentication","keywords":["Oracle 9i Database Server","PL/SQL module","remote command execution","no authentication","listener","CREATE LIBRARY","system()","exec()","msvcrt.dll","oracle user"],"overview":"Oracle Database Server allows remote users to execute system commands without authenticating.","clean_desc":"Oracle Database Server provides extended functionality through the use of Procedural Language/Structured Query Language (PL/SQL) libraries. PL/SQL includes commands to load arbitrary system libraries and execute any function contained in those libraries. These commands require special user privileges. However, the functions of user authentication and library loading are split among different Oracle processes. As a result, it is possible to load libraries and execute arbitrary functions from them without authenticating. Oracle runs a \"Listener\" process that receives requests from clients and forks separate child  processes to handle each request. When the child process runs a PL/SQL library that makes use of other libraries, the child process first checks the user's authentication and privileges to ensure that the libraries should be loaded. Then it sends a request to the Listener process to load libraries. The Listener request forks another process named \"extproc\" (\"extproc.exe\" on Windows), which loads the library and executes functions as requested by the child process. Since the authentication is performed in the child process and not in the Listener, any process masquerading as an Oracle child process can ask the Listener to load any library and execute any command. The Listener assumes that the child process has performed authentication. Furthermore, it is possible to establish connections to the Listener and extproc processes over sockets, allowing remote attackers to exploit this vulnerability. This vulnerability is present in Oracle Database Server version 9i and may be present in other previous versions.","impact":"Remote users can execute arbitrary code with privileges of the user running Oracle, typically username \"oracle\" on Unix systems or the local \"SYSTEM\" user on Windows systems.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"1. Install a firewall and restrict access to port 1521 from outside the network. 2. Configure the Oracle Listener to run on a port other than 1521. 3. Remove PLSExtproc and icache_extproc functionality from Oracle if not needed, by deleting relevant lines from the \"tnsnames.ora\" and \"listener.ora\" files. 4. Implement trust node checking by adding the following lines to the \"sqlnet.ora\" file: tcp.validnode_checking = YES\ntcp.invited_nodes = (<comma-delimited list of allowed hostnames or IP addrs>) 5. On Windows, run Oracle processes under a low-privileged user account instead of under the local SYSTEM account.","sysaffected":"","thanks":"Thanks to David Litchfield for reporting this vulnerability.","author":"This document was written by Shawn Van Ittersum.","public":["http://www.securityfocus.com/bid/4033","http://www.oracle.com/","http://www.nextgenss.com/advisories/oraplsextproc.txt","http://otn.oracle.com/deploy/security/alerts.htm"],"cveids":["CVE-2002-0567"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-02-06T21:36:09Z","publicdate":"2002-02-06T00:00:00Z","datefirstpublished":"2002-02-26T23:22:46Z","dateupdated":"2003-07-03T17:15:41Z","revision":16,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"18","cam_easeofexploitation":"10","cam_attackeraccessrequired":"16","cam_scorecurrent":"20.25","cam_scorecurrentwidelyknown":"24.3","cam_scorecurrentwidelyknownexploited":"40.5","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.25,"vulnote":null}