{"vuid":"VU#467555","idnumber":"467555","name":"Oracle Application Server contains format string vulnerability","keywords":["Oracle","Application Server","remotely exploitable","format string","PL/SQL module"],"overview":"The CERT/CC is aware of a report about a \"remotely exploitable format string vulnerability in Oracle Application Server\" that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system.","clean_desc":"Oracle Application Server uses the Apache HTTP Server to provide web services, including access to stored procedures via the Oracle PL/SQL module (modpplsql or mod_plsql). The PL/SQL module provides a web-based administration interface to configure Database Access Descriptors (DAD) and cache settings. The CERT/CC is aware of a report of a format string vulnerability in Oracle Application Server. The report implies that the vulnerability exists in the web-based administration interface for the PL/SQL gateway. An attacker may be able to exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Further details about this vulnerability are not presently available, as the reporter (NGSSoftware) has intentionally released limited information in accordance with their disclosure policy. NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.","impact":"An unauthenticated remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The HTTP server used by Oracle Application Server may run as SYSTEM on Windows NT and Windows 2000 systems.","resolution":"Apply a Patch When available, apply the appropriate patch. Oracle typically releases Security Alerts that include patch information.","workarounds":"Restrict Access The report from NGSSoftware recommends \"ensuring that the administration pages for the PL/SQL module have been protected.\"  This implies that the vulnerability lies in the HTML administration interface for the PL/SQL module, which would be similar to a previously announced vulnerability [VU#659043]. In the default configuration, the administration pages are available to anyone who is able to access to the web server [VU#611776]. Access to the PL/SQL gateway administration web pages can be restricted by specifying authorized user names and connect strings or an administrative Database Access Descriptor (DAD) in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. For more information, read the section titled Using the PL/SQL Gateway in the Oracle iAS documentation for the Oracle HTTP Server powered by Apache. Disable Unnecessary Services If this vulnerability is in the PL/SQL HTTP administration interface, it may be possible to disable the HTTP interface and make configuration changes to the PL/SQL module by modifying the configuration file directly. Disable the PL/SQL service (modplsql or mod_plsql in Apache). Use Least Privilege Run Oracle Application Server under a user account with the least privilege possible. Note that this workaround will not prevent exploitation, but may limit the impact of an attack.","sysaffected":"","thanks":"The CERT/CC thanks David Litchfield of \nNGSSoftware\n for information used in this document.","author":"This document was written by Art Manion.","public":["ttp://www.nextgenss.com/vna/ora-ias.txt","hhttp://online.securityfocus.com/bid/4844","http://www.iss.net/security_center/static/10183.php"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-05-29T15:51:46Z","publicdate":"2002-05-27T00:00:00Z","datefirstpublished":"2002-06-04T19:59:53Z","dateupdated":"2003-06-02T19:05:44Z","revision":40,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"16","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"8","cam_impact":"18","cam_easeofexploitation":"8","cam_attackeraccessrequired":"12","cam_scorecurrent":"6.2208","cam_scorecurrentwidelyknown":"7.2576","cam_scorecurrentwidelyknownexploited":"12.4416","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":6.2208,"vulnote":null}