Oracle PL/SQL Apache Module

NGSSoftware Insight Security Research Advisory

Name:             Oracle PL/SQL Apache Module

Systems Affected:     Oracle 9iAS

Platforms:        Sun SPARC Solaris 2.6

MS Windows NT/2000 Server

HP-UX 11.0/32-bit

Severity:        High Risk

Vendor URL:         http://www.oracle.com/

Author:            David Litchfield (david@nextgenss.com)

Date:            20th December 2001

Advisory number:    #NISR20122001

Description

***********

The web service with Oracle 9iAS is powered by Apache and provides many application environments

with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. Two security

issues exists in the PL/SQL Apache module - one a buffer overrun vulnerability and the second a

directory traversal issue. The directory traversal issue affects only Windows NT/2000.

Details

*******

The PL/SQL module exists to allow remote users to call procedures exported by a PL/SQL package

stored in the database server. As part of the functionality offered by the PL/SQL module it is

possible to remotely administer the Database Access Descriptors and from here access help pages.

Normally, access to the /admin_/ pages is restricted - a UserID and password are required but not for

the help pages however. A buffer overrun vulnerability exists in the module whereby a request for

an overly long help page will cause the overflow overwriting the saved return address on the stack.

By overwriting this saved return address with an address that contains a “call esp” or “jmp esp”

instruction a potential attack would land into the user-supplied buffer and any computer code in the

buffer would be executed.

On Windows 2000/NT the apache process is running is the security context of the SYSTEM account

by default so any code executed would do so without inhibition and an attacker could gain complete

control over this system remotely.

The second issue relates to a double URL decoding problem that allows attackers to make a special

request for a “help” file and break outside of the web root.

Fix Information

***************

NGSSoftware alerted Oracle to these problems on the 18th of November who responded quickly with a

patch. This patch has been available from the Metalink site (http://metalink.oracle.com)

for over a week and both Oracle and NGSSoftware urge Oracle 9iAS customers to download and install

this patch if they have not already done so. Oracle’s advisory on this issue can be found at

http://otn.oracle.com/deploy/security/pdf/modplsql.pdf.

Further to applying the patch it is suggested that the default “/admin_” path be changed to something

else. To do this edit the wdbsvr.app file located in the $ORACLE_HOME$\Apache\modplsql\cfg directory.

Edit the “adminPath” entry.

A check for these issues has been added to Typhon II, of which more information is available from the

NGSSoftware website, http://www.ngssoftware.com.