SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Application Server Vendors:   Oracle
Oracle AS PLSQL Gateway PLSQLExclusion List Bug Lets Remote Users Gain Access to the Target Database
SecurityTracker Alert ID:  1015544
SecurityTracker URL:  http://securitytracker.com/id/1015544
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 25 2006
Impact:   Execution of arbitrary code via network, User access via network


Description:   A vulnerability was reported in the Oracle Application Server in the PLSQL Gateway component. A remote user can gain full access to the backend database server via the web server.

A remote user can bypass the PLSQLExclusion list and gain access to excluded packages and procedures. As a result, the remote user can gain control of the web server and associated backend database server.

The PLSQL Gateway is a component of iAS, OAS, and the Oracle HTTP Server.

The vendor was notified on October 26, 2005. The UK NISCC was notified on November 7, 2005.

Impact:   A remote user can access excluded packages and procedures to potentially gain control of the web server and associated database server.
Solution:   No solution was available at the time of this entry.

NGSSoftware has provided the following unofficial workaround instructions [quoted]:

using mod_rewrite, which is compiled into Oracle's Apache distribution it is possible to stop the attack. The workaround checks a user's web request for the presence of a right facing bracket, ')'.

Add the following four lines to your http.conf file then stop and restart the web server

RewriteEngine on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

Vendor URL:  www.oracle.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Workaround for unpatched Oracle PLSQL Gateway flaw

There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS 
and the Oracle HTTP Server, that allows attackers to bypass the 
PLSQLExclusion list and gain access to "excluded" packages and procedures. 
This can be exploited by an attacker to gain full DBA control of the backend 
database server through the web server.

This flaw was reported to Oracle on the 26th of October 2005. On November 
the 7th NGS alerted NISCC (http://www.niscc.gov.uk) to the problem. It was 
hoped that due to the severity of the problem that Oracle would release a 
fix or a workaround for this in the January 2006 Critical Patch Update. They 
failed to do so.

The workaround is trivial; using mod_rewrite, which is compiled into 
Oracle's Apache distribution it is possible to stop the attack. The 
workaround checks a user's web request for the presence of a right facing 
bracket, ')'.

Add the following four lines to your http.conf file then stop and restart 
the web server

RewriteEngine  on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack

I don't think leaving their customers vulnerable for another 3 months (or 
perhaps even longer) until the next CPU is reasonable especially when this 
bug is so easy to fix and easy to workaround. Again, I urge all Oracle 
customers to get on the 'phone to Oracle and demand the respect you paid 
for.

Cheers,
David Litchfield 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC