- Threat ID
- Threat Date
- Threat Name
- TNS packet leaking
- CVE Reference
- CCE Reference
- Database Type
- No Application Type
- Oracle8 and Oracle 8i
- A bug in the listener service allows malformed listener commands to return commands submitted previously by other users. By viewing other users' commands, an attacker can gain information such as usernames or even the listener password.
- Commands run on the listener service can be leaked to other users. This allows an anonymous user to query a listener for previous statements which may contain sensitive info such as:
- the listener password
- client addresses
This attack works by sending a malformed command to the listener. Within the header of a listener packet, a field is used to indicate the length of the command being sent. If the message length in the header is greater than the actual message length sent, the listener will copy extraneous data into the buffer it returns, including:
- previous commands
- the results of previous commands
This attack can be mounted by any remote users that can send packets to the IP address and port of the listener. It can not be mounted by an attacker outside your organization if a firewall is properly protecting the database.
An attacker would use this vulnerability to collect information about the database. No authentication credentials are required to run this attack. An attacker would repeatedly run this attack over a series of days, collecting a list of users and client address, and hoping to catch the database administrator connecting to the listener using the password.
Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.