Title: Oracle listener Input Validation Vulnerabilities
Severity: MODERATE
Description:
Oracle Enterprise Server ships with a server program called listener used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections.
Due to this condition, unauthorized clients can connect to and send certain commands to the listener. Two such commands are SET TRC_FILE and SET LOG_FILE which allow the connecting client to tell the listener server what logfiles to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files) and have some user supplied data written to them (eg, "\n+ +\n"). Furthermore, it is also possible to have escaped shell commands executed due to improper handling of user input when writing to the logfiles.
There are numerous ways to exploit these vulnerabilities so local shell access is gained on the host running listener. This can lead to a compromise of root privileges on the host.
Affected Products:
- Oracle listener 7.3.4
- Oracle listener 8.0.6
- Oracle listener 8.1.6
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
