Threat Finder

Threat ID
4
Threat Date
08/06/2007
Threat Name
Default listener password
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
All versions of Oracle
Summary
The default password has not been changed on the listener service. A knowledgeable attacker will try the default password, and will be able to use the listener service to write files on the operating system, possibly gaining access as the account that owns oracle.
Overview
The default listener password (Oracle) has not been changed. If you do not change the listener password, an attacker can easily gain control over the listener service and can
- shutdown the listener or
- perform other administrative actions on the listener

This attack can be mounted by any remote users that can send packets to the IP address and port of the listener. It can not be mounted by an attacker outside your organization if a firewall is properly protecting the database.

This is a dangerous vulnerability since many database administrators are unaware that the listener service accepts commands from remote sources. This allows anyone on the network to attempt to break into the listener.

There are several vulnerabilities already in existence that use the privileges of the listener to perform actions such as:
- creating .rhost files
- corrupting the Oracle database files
If you do not set a password on the listener, an attacker can gain control of the listener and use the vulnerabilities listed above to gain access to the operating system as the owner of the Oracle software.

The listener:
- is a server-side program that manages connecting clients to the database.
- handles the connection request from a client to a database
- first accepts the connection and then negotiates with the database to setup a channel between the two end
- returns the connection information to the client allowing the client and database to establish a connection

The listener typically runs under the following privileges:
- Using the Oracle software owner account on UNIX
- Using the LocalSystem account on Windows

Because the listener has such a high level of privileges, any actions this process can take should be restricted.
References
http://download.oracle.com/docs/cd/B19306_01/network.102/b14212/listenercfg.htm#sthref1018
http://download.oracle.com/docs/cd/B28359_01/network.111/b28316/listenercfg.htm#NETAG459
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by