Hi
Or run the extproc as another low privilege user such as nobody on
Unix. Then the hacker would not be able to run oracle owned libraries as
oracle and if he did the classic of creating a library using libc and
the system() call anything executed would be as nobody and not the owner
install the demo schemas.
Regards
Hemant
At 07:29 AM 29-07-03 -0800, you wrote:
I sent a reply on that day. Here it is, once again.
Date: Fri, 25 Jul 2003 12:25:59 -0400
Subject: Re: Question about EXTPROC and vulnerability
Hemant,
You are right in wondering why there are three steps.
1. The lsitener
of the seeded demo schemas in 9i also have such
privileges. Here, again, I never install the demo schemas.
Regards
Hemant
At 07:29 AM 29-07-03 -0800, you wrote:
I sent a reply on that day. Here it is, once again.
Date: Fri, 25 Jul 2003 12:25:59 -0400
Subject: Re: Question about EXTPROC
: Hemant K Chitale [EMAIL PROTECTED]
Subject: Question about EXTPROC and vulnerability
Organization: Fat City Network Services, San Diego, California
Oracle's Security Alert #29 [Note 175429.1] on the EXTPROC recommends the
workaround to disable
EXTPROC as
1. Removing the entry for extproc
I sent a reply on that day. Here it is, once again.
Date: Fri, 25 Jul 2003 12:25:59 -0400
Subject: Re: Question about EXTPROC and vulnerability
Hemant,
You are right in wondering why there are three steps.
1. The lsitener must not be listening for the EXTPROC connections - that is
the first
Or, alternatively, you could live EXTPROC where it is, no matter how
wulnerable it is, and trust a good firewall. If you are in a commercial
environment, breaking in a box through the buffer overflow hole would
require a major talent, which is very hard to come by in these days of
cost cutting. I
FYI
NGSSoftware Insight Security Research Advisory
Name: Oracle Extproc Buffer Overflow
Systems Affected: Most OS platforms; Oracle9i Database Release 2 and 1, 8i
Severity: High Risk
Vendor URL: http://www.oracle.com
Authors: David Litchfield ([EMAIL PROTECTED])
Chris Anley ([EMAIL PROTECTED
= extproc_agent) Key1
)
)
SID_LIST_EXTPROC_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = 11) Key2
(ORACLE_HOME = /ora1/81764)
(PROGRAM = extproc)
)
)
BTW: Oracle's recommendation is to use a seperate listener for extproc
calls. -Original
Oracle's Security Alert #29 [Note 175429.1] on the EXTPROC recommends the
workaround to disable
EXTPROC as
1. Removing the entry for extproc/PLSExtproc/icache_extproc from the
listener.ora
2. Removing the entry from the tnsnames.ora
3. Renaming or removing the extproc executable
Title: Extproc setup Q?
Hi All,
I am trying to setup EXTPROC but keep getting ORA-28575 (Check your tnsnames.ora listener.ora)
Attached are my files that look OK to me
Anybody
Title: Extproc setup Q?
Please add the line in red to your listener.ora file.
Extproc has been made secure in Oracle 9i. The following line has to be added to
execute your own external procedures.
LISTENER =
(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST =
Linux)(PORT = 1521
: Multiple
recipients of list ORACLE-LSubject: RE: Extproc setup
Q?
Please add the line in red to your listener.ora file.
Extproc has been made secure in Oracle 9i. The following line has to be added
to execute your own external procedures.
LISTENER =
(DESCRIPTION = (ADDRESS
:
EXTPROC_LISTENER =
(ADDRESS_LIST =
(ADDRESS =
(PROTOCOL = IPC)
(KEY = extproc_agent) Key1
)
)
SID_LIST_EXTPROC_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = 11) Key2
(ORACLE_HOME = /ora1/81764)
(PROGRAM = extproc
Hi all,
Does anybody know how Oracle determines what extproc to use when
making an external call through a listener? I've got one working,
which is great, but nowhere in the listener or tnsnames is there
any kind of binding to a particular sid, other than to a HOME,
and the library def and c
20, 2002 9:43 AM
To: Multiple recipients of list ORACLE-L
Hi all,
Does anybody know how Oracle determines what extproc to use when
making an external call through a listener? I've got one working,
which is great, but nowhere in the listener or tnsnames is there
any kind of binding
Message-
Sent: Tuesday, August 20, 2002 8:53 AM
To: Multiple recipients of list ORACLE-L
John Dennis,
First off I do use this feature have the DB's isolated from the Internet.
Also, NEVER set up an extproc listener with protocol=tcp. It may be
unsupported, but I did manage to get one
Ian,
Good points. ALthough running extproc under TCP is NOT supported by Oracle,
it will work.
Dick Goulet
Reply Separator
Author: MacGregor; Ian A. [EMAIL PROTECTED]
Date: 7/8/2002 4:28 PM
Some security and Intermedia tips:
Make sure
Look at note: 99136.1 on the metalink.
It has also many references to other useful documents that might help.
Regards,
Waleed
-Original Message-
Sent: Monday, June 03, 2002 9:28 AM
To: Multiple recipients of list ORACLE-L
Hi all,
I've recently been asked to set up an extproc
John,
First question, is this the first extproc listener that you've setup on this
server? If your configuring a second, you can't really do that as there can be
one and only one extproc_connection_data entry in your tnsnames.ora file. What
you need in this case is a new library
Some security and Intermedia tips:
Make sure the extproc listener runs under a non-privileged account. In UNIX the
nobody account should be used. Do not setup anything but an ipc connection. If
you are running Intermedia make and need to do docment filtering make sure nobody's
Hi all,
I've recently been asked to set up an extproc listener and as this is the
first non-apps one I have had to deal with, I was hopping somebody could
give some pointers. I have RTFM, and sarcasm it's oh so clear /sarcasm.
Anyway, how does one go about figuring out the LISTENER_KEY
In address_list to listen for extproc connection through IPC protocol use
EXTPROC0 as a KEY.
SID_NAME for extproc is always PLSExtProc.
ORACLE_HOME is your regular oracle_home directory.
Here is an example:
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST
Oracle has issued the following PL/SQL EXTPROC security alert :
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_datab
ase_id=NEWp_id=140815.995
I want to determine if the applications I am supporting are using External
Procedures.
If they are not then I will utilize
Try: ld -m /data1/dev/uexit/test/extproc.so
-Original Message-
Sent: Sunday, November 18, 2001 10:45 PM
To: Multiple recipients of list ORACLE-L
Hi,
Pl use the equivalent of DLL walker of NT in Unix to find the exact name of
the shared object that you have created. The shared object
Khedr, Waleed wrote:
Try: ld -m /data1/dev/uexit/test/extproc.so
-Original Message-
Sent: Sunday, November 18, 2001 10:45 PM
To: Multiple recipients of list ORACLE-L
Hi,
Pl use the equivalent of DLL walker of NT in Unix to find the exact name of
the shared object that you
-- Forwarded Message --
Date: Sun, 18 Nov 2001 22:47:09 -
To: 'Jared Still' [EMAIL PROTECTED]
Hi Jared,
I am sure you can help me on this.
I am encountering problems to run an O/S command from a stored
procedure/procedure.
The error log is as follows...
SQLcreate
26 matches
Mail list logo