Oracle extproc local command execution (#NISR23122004C) Dec 23 2004 04:33PM
NGSSoftware Insight Security Research (nisr nextgenss com)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g/9i extproc local command execution
Systems Affected: Oracle 10g/9i on all operating systems
Severity: Medium Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR23122004C
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004C.txt

The Oracle database server supports PL/SQL, a programming language. PL/SQL
can execute external procedures via extproc. Over the past few years there
has been a number of vulnerabilities in this area:


Extproc is intended only to accept requests from the Oracle database server
but local users can still execute commands bypassing this restriction.

No authentication takes place when extproc is asked to load a library and
execute a function. This allows local users to run commands as the Oracle
user (oracle on unix and system on Windows). If configured properly, under
10g, extproc runs as nobody on *nix systems so the risk posed here is
minimal but still present.

Fix Information
Oracle has responded saying this is "expected behaviour" and they are not
going to fix it. NGSSoftware believes this does pose a security risk.
NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be
used to assess whether your Oracle servers are vulnerable to this.

About NGSSoftware
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security


Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries (at) ngssoftware (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus