In addition to requests for connections, the TNS listener also recognizes a number of commands which can be used to view or change status or configuration information about the listener itself. Some of these commands can be restricted such that they can only be used by authenticated users, but others cannot.

service_register_NSGR Denial of Service

01/18/05
CVE 2004-1369
By specifying a large offset in a service_register_NSGR request, an attacker could cause the TNS listener to attempt to read memory beyond the end of a buffer, causing the service to crash. Oracle Database prior to 10.1.0.3 is affected by this vulnerability.

Denial of Service due to Missing Password

09/09/04
In its default configuration, no password is required to access the TNS listener. This could allow any remote user to shut it down, leading to a denial of service.

Debugger Denial of Service

08/13/02
CVE 2002-0856
A flaw in the debugging mechanism in Oracle 9i could allow a remote attacker to crash the SQL*NET listener by sending it a specially crafted request. After an attack, the listener would not respond to any requests until it is manually restarted. Oracle 9.0.x and 9.2 on all platforms are affected by this vulnerability.

SERVICE_NAME Buffer Overflow

06/25/02
Due to a buffer overflow condition, a remote attacker could overwrite the saved return address and take control of the process execution by sending a long, specially crafted SERVICE_NAME parameter to the TNS Listener. Oracle 9.0.x on Windows or VM platforms, and Oracle 8.0.6.x on VM platforms are affected by this vulnerability.

Authentication Bypass

02/19/02
CVE 2002-0567
The Oracle listener does not require any authentication from entities requesting a library function call. Therefore, an attacker can claim to be an Oracle process and call a function such as system() which allows the execution of arbitrary system commands. Furthermore, it is possible to force the listener to communicate with the EXTPROC process using sockets instead of named pipes, thus allowing the vulnerability to be exploited remotely over a TCP connection.

Oracle 8 and 9 on any platform are affected by this vulnerability.

Buffer Overflow

07/19/01
CVE 2001-0499
A buffer overflow condition in the processing of commands could allow an attacker to execute arbitrary code on the server by sending a command with a very long argument. Since there are some commands that never require authentication this vulnerability can be exploited remotely. On a Windows or Unix server, the vulnerability could allow an attacker to execute commands on the underlying operating system with the privileges of the TNS listener service, which by default is LocalSystem on Windows and oracle on Unix.

Any system running Oracle 8i with the TNS listener service enabled which has not been patched is affected by this vulnerability.

Other Vulnerabilities

If the patches cannot be applied immediately, the potential for exploitation can be mitigated by filtering TCP port 1521 or 1541 at the network perimeter and by using the Valid Node Checking feature to restrict access to the listener. To use the Valid Node Checking feature, enable it in $ORACLE_HOME/NETWORK/ADMIN/SQLNET.ORA (or $ORACLE_HOME/NETWORK/ADMIN/PROTOCOL.ORA in Oracle 8i), and specify which IP addresses to allow and deny. For example, to allow 192.168.255.1 and deny 192.168.255.2 and 192.168.255.3, add the following lines:

tcp.validnode_checking = YES
tcp.invited_nodes = (192.168.255.1)
tcp.excluded_nodes = (192.168.255.2, 192.168.255.3)

For more information about the flaw in the debugging mechanism, see Oracle Security Alert #38.

For more information about the SERVICE_NAME buffer overflow, see Oracle Security Alert #34 and NGSSoftware Advisory #NISR12062002A.

For more information about the EXTPROC vulnerability, see Oracle Security Alert #29 and NGSSoftware Advisory #NISR06022002A.