|
No Authentication in External Procedure Service
February 7, 2002
To determine if you are vulnerable to this attack, download AppDetective
for Oracle from http://www.appsecinc.com/products/appdetective/oracle
For additional details, the official advisories from Oracle Corporation can
be downloaded from:
http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf
Risk level: High
Summary:
Oracle provides a method of calling functions outside the database by
creating external procedure servers. This feature extends Oracle's
functionality greatly and is very useful. However, if access to send
commands to these external procedure services is not properly restricted,
anonymous users can gain control of the operating system and the database.
Background:
External procedures are functions written outside of Oracle that can be
called from within Oracle. External procedures allow functions in C or other
languages to be called from PL/SQL. Several components of Oracle, such as
Oracle interMedia, use the external procedure service to add functionality
to the database.
From within the database, Oracle provides a special-purpose interface, the
call specification (call spec), that enables users to call external
procedures. From within the database, access to invoke the functions can be
limited.
When an external procedure is invoked, the database alerts a network
listener process, which in turn starts an external procedure agent, which by
default is named extproc. Using the network connection established by the
listener, the database passes to the external procedure agent the name of
the DLL, the name of the external procedure, and any parameters passed in by
the application. Then, the external procedure agent loads the DLL, runs the
external procedure, and passes back to the application any values returned
by the external procedure.
The agent can reside on the same computer as the database server or on a
remote computer with a listener. If not secured properly, an attacker can
remotely cause the extproc to load an arbitrary shared library and execute a
function in the shared library under the security context of the oracle
owner.
Fix:
To alleviate the threat presented by exposing external procedure listeners
to the network, you should perform one of the following tasks:
1. Configure the listener to not accept connections for the External
Procedure server. This is accomplished by editing the entries in the
listener.ora file. Within the listener.ora file, you will find the following
entries.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC0))
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = dev01win2ksvr)(PORT = 1521))
)
)
)
From the section above, remove the lines 4, 5, and 6 to cause the listener
to stop accepting requests to spawn the extproc program.
2. Configure the listener used by the extproc to only accept connections
from the database by setting the validnode_checking parameter in the
protocol.ora file to restrict access to an Oracle database based on network
address. The protocol.ora file is located in the network/admin directory
under the ORACLE_HOME directory or in the directory specified by the
TNS_ADMIN environment variable or registry value.
tcp.validnode_checking = YES
tcp.invited_nodes= (webserver.appsecinc.com, 192.168.1.110)
tcp.excluded_nodes= (attackers.com, 144.25.5.25, 234.12.3.12)
The first line enables this features. The invited nodes is a list of the
hosts, either dns name or ip address, that are allowed to connect. The
excluded nodes is a list of hosts that are not allowed to connect to the
database.
Note that the tcp.invited_nodes parameter takes precedence over the
tcp.excluded_nodes parameter if both lists are present.
|
