AUSCERT External Security Bulletin Redistribution
         ESB-2000.310 -- Internet Security Systems Security Advisory
                Vulnerability in the Oracle Listener Program
                               27 October 2000


	AusCERT Security Bulletin Summary

Product:                Oracle Listener 7.3.4, 8.0.6, and 8.1.6
Vendor:                 Oracle
Impact:                 Create Arbitrary Files
			Modify Arbitrary Files
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


Internet Security Systems Security Advisory
October 25, 2000

Vulnerability in the Oracle Listener Program

Internet Security Systems (ISS) X-Force has discovered a vulnerability
in the listener program in Oracle Enterprise Server. It is possible for
a remote attacker to gain access to the Oracle owner operating system
account and the Oracle database, and to execute code in various
operating systems.

Affected Products and Releases:
Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all

The Oracle listener program accepts remote commands from remote listener
controllers. If configured properly, a password is required to
authenticate a user before issuing a listener command. The default
Oracle installation does not allow a password for the listener program
to be indicated. If a password has not been set, the Oracle listener
program can be configured to append log information to a file. Due to a
problem with the SET TRC_FILE and SET LOG_FILE commands, these values
can be changed to any file name. This allows an attacker to create a new
file or corrupt an existing file.

The information logged by the listener program can be specified by an
attacker by sending a specially formed connect packet to the listener.
This logged information can be changed to include commands and escape
characters, allowing an attacker to gain access to an operating system

Oracle recommends that customers download the patches for this
vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com. Customers can reference generic bug number
1361722 filed against the listener program.      

Customers will also find a security alert for this issue on the Oracle
Technology Network at the following URL:

ISS SAFEsuite security assessment software, Database Scanner, currently
determines if a password is indicated for the listener and how strong
the password is. An upcoming release of Database Scanner will be updated
to determine if the Oracle patch has been applied.

Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2000-0818 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

This vulnerability was discovered and researched by Ben Layer and Aaron
Newman of Internet Security Systems. ISS would like to thank Oracle for
their response and handling of this vulnerability

About Internet Security Systems (ISS)
Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global
provider of security management solutions for the Internet. By combining
best of breed products, security management services, aggressive
research and development, and comprehensive educational and consulting
services, ISS is the trusted security advisor for thousands of
organizations around the world looking to protect their mission critical
information and networks.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.


The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

Version: 2.6.3a
Charset: noconv


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key