| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle remote compromise./ Why Not Run The External procedure
External procedure calls are used by Intermedia. I don't know of any other Oracle utility that does so, perhaps IFS, but that's just a guess. Any locally written extenral procedures must be under the strictest control. You wouldn't want anyone to write something that allowed the "rm" command. Don't grant the Oracle privilege "create library" to anyone.
In order to use external procedures you need an entry in the tnsnames.ora file which resembles
extproc_connection_data =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = extproc_key))
(CONNECT_DATA = (SID = extproc_agent))
)
A look at the listener log will show entries such as
08-FEB-2002 15:22:14 * (CONNECT_DATA=(SID=extproc_agent)) *
(ADDRESS=(PROTOCOL=ipc)(KEY=extproc_key)) * establish * extproc_agent * 0
08-FEB-2002 15:25:37 * (CONNECT_DATA=(SID=extproc_agent)) *
The external procedure listener should not be run as Oracle, but as a less privileged account. In Unix this is typically nobody. If there is any reference to external procedures under the normal Oracle listener remove it and add the following or something similar to to the listener.ora file changing the listener's log directory and Oracle Home as appropriate.
EXTPROC_LISTENER =
(ADDRESS_LIST =
(ADDRESS=
(PROTOCOL=IPC)
(KEY= extproc_key)
)
LOG_DIRECTORY_EXTPROC_LISTENER = /xxx/xxx/xxx/xxx/xxx/xxx/xxx LOG_FILE_EXTPROC_LISTENER = extproc_listener.log SID_LIST_EXTPROC_LISTENER =
(SID_NAME = extproc_agent)
(ORACLE_HOME=/xxx/xxx/xxx/xxx/xxx)
(PROGRAM = extproc)
Always start the extproc_listner as "nobody". Now any command which called through the extproc_listener runs under the nobody account and not the oracle account.
I wonder why this was not mentioned as a way to mitigate the problem? I would definitely block incoming traffic on port 1521 at the external firewall. Then you only need worry about compromises from inside CMU. Blocking 1521 at the firewall removing the external procedure lines entirely from listener.ora would be the most secure.
Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu
-----Original Message-----
Sent: Friday, February 08, 2002 12:25 PM
To: LazyDBA.com Discussion
So, I've been reading a bit about this security hole and figuring out what exactly I can or should do about it.
One of the solutions is to remove PLSExtproc functionality altogether. I am trying to figure out if I can do this. If I look in my listener.log file, will I see entries for extproc listed there if it is being used? If this is a valid assumption, can I then just remove the PLSExtproc definition in my listener.ora and tnsnames.ora files and bounce the listener, if I don't see extproc listed?
Changing the default port doesn't seem all that much of a fix as anybody with a port scanner should be able to figure out what port the listener is on anyway.
Thanks for any insight here.
-- Blue skies. Dan Rossi Carnegie Mellon University. E-Mail: dr25_at_andrew.cmu.edu Tel: (412) 268-9081 -------- Oracle documentation is here: http://tahiti.oracle.com/pls/tahiti/tahiti.homepage To unsubscribe: send a blank email to oracledba-unsubscribe_at_LAZYDBA.com To subscribe: send a blank email to oracledba-subscribe_at_LAZYDBA.com Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl Tell yer mates about http://www.farAwayJobs.com By using this list you agree to these terms:http://www.lazydba.com/legal.html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: MacGregor, Ian A. INET: ian_at_SLAC.Stanford.EDU Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-LReceived on Fri Feb 08 2002 - 18:47:19 CST
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
 |
 |