TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
October 25, 2000

Vulnerability in the Oracle Listener Program

Synopsis:
Internet Security Systems (ISS) X-Force has discovered a vulnerability
in the listener program in Oracle Enterprise Server. It is possible for
a remote attacker to gain access to the Oracle owner operating system
account and the Oracle database, and to execute code in various
operating systems.

Affected Products and Releases:
Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all
platforms.

Description:
The Oracle listener program accepts remote commands from remote listener
controllers. If configured properly, a password is required to
authenticate a user before issuing a listener command. The default
Oracle installation does not allow a password for the listener program
to be indicated. If a password has not been set, the Oracle listener
program can be configured to append log information to a file. Due to a
problem with the SET TRC_FILE and SET LOG_FILE commands, these values
can be changed to any file name. This allows an attacker to create a new
file or corrupt an existing file.

The information logged by the listener program can be specified by an
attacker by sending a specially formed connect packet to the listener.
This logged information can be changed to include commands and escape
characters, allowing an attacker to gain access to an operating system
account.

Recommendations:
Oracle recommends that customers download the patches for this
vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com. Customers can reference generic bug number
1361722 filed against the listener program.      

Customers will also find a security alert for this issue on the Oracle
Technology Network at the following URL:
http://otn.oracle.com/deploy/security/alerts.htm

ISS SAFEsuite security assessment software, Database Scanner, currently
determines if a password is indicated for the listener and how strong
the password is. An upcoming release of Database Scanner will be updated
to determine if the Oracle patch has been applied.

Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2000-0818 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

Credits:
This vulnerability was discovered and researched by Ben Layer and Aaron
Newman of Internet Security Systems. ISS would like to thank Oracle for
their response and handling of this vulnerability

About Internet Security Systems (ISS)
Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global
provider of security management solutions for the Internet. By combining
best of breed products, security management services, aggressive
research and development, and comprehensive educational and consulting
services, ISS is the trusted security advisor for thousands of
organizations around the world looking to protect their mission critical
information and networks.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOfb6vzRfJiV99eG9AQGPKQP/Qph7vRRg5Efk0vXyq5XQIrg40Iuy8uBf
t5dHjxSR/X0fihr3MOaTyf82IoIn+FF/5f4ltOGBSHZj9b7C+IeFIONf0SOwiuoo
z8oxKvc+pKj9IPcQSG1qKArspsYJDDpTf2t4o9u3m1/pOQ+wJ/trbYJ7ugi3/9Yc
pZy+SLut1Z0=
=0/aS
-----END PGP SIGNATURE-----