VULHUB ™

Oracle Enterprise Server ships with a server program called listener used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections. Due to this condition, unauthorized clients can connect to and send certain commands to the listener. Two such commands are SET TRC_FILE and SET LOG_FILE which allow the connecting client to tell the listener server what logfiles to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files) and have some user supplied data written to them (eg, "\n+ +\n"). Furthermore, it is also possible to have escaped shell commands executed due to improper handling of user input when writing to the logfiles. There are numerous ways to exploit these vulnerabilities so local shell access is gained on the host running listener. This can lead to a compromise of...

Oracle Enterprise Server ships with a server program called listener used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections. Due to this condition, unauthorized clients can connect to and send certain commands to the listener. Two such commands are SET TRC_FILE and SET LOG_FILE which allow the connecting client to tell the listener server what logfiles to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files) and have some user supplied data written to them (eg, "\n+ +\n"). Furthermore, it is also possible to have escaped shell commands executed due to improper handling of user input when writing to the logfiles. There are numerous ways to exploit these vulnerabilities so local shell access is gained on the host running listener. This can lead to a compromise of root privileges on the host.