This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Protect the listner"

From OWASP
Jump to: navigation, search
(New page: ==Background== Creating a buffer overflow—crashing the listener by sending a large string to be executed—is a common intruder tactic. Another popular one is to see the various componen...)
 
(Replacing page with 'http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.html#1.7 www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf Page...')
 
Line 1: Line 1:
==Background==
+
http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.html#1.7
Creating a buffer overflow—crashing the listener by sending a large string to be executed—is a common intruder tactic. Another popular one is to see the various components using SET DISPLAYMODE VERBOSE from the lsnrctl utility. In this case the hacker may manipulate the settings by running lsnrctl on a vulnerable machine to administer the listener on the target server. Here's an example:
 
  
LSNRCTL> set trc_level support
+
www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=prolin1)(PORT=1521)))
+
Page 17
LISTENER parameter "trc_level" set to support
 
The command completed successfully
 
LSNRCTL> set trc_directory /tmp
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=prolin1)(PORT=1521)))
 
LISTENER parameter "trc_directory" set to /tmp
 
The command completed successfully
 
 
 
As the trace level is SUPPORT , the listener generates a lot of information that you may not want the hacker to know. Also, because the trace files are written to the directory /tmp, he can easily see them as well. All this can be learned without even being on the server.  
 
 
 
==Strategy==
 
To protect the listener, the best option is to set a password. In addition, you can employ another approach: restricting the ability to set various parameters of the listeners using the lsnrctl utility. In that case, the only way to change parameters is to set them in the listener configuration file and then reload it. To set these restrictions, you can place the following line in the listener.ora file:
 
 
 
ADMIN_RESTRICTIONS_LISTENER = ON
 
and then restart the listener. Now, you can no longer use the SET command in the lsnrctl prompt to change a value. For example:
 
 
 
LSNRCTL> set trc_directory /hacker_dir
 
Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=PROPRD1))
 
TNS-12508: TNS:listener could not resolve the COMMAND given
 
 
 
Note the TNS-12508. From now on, to change a value, you must do so in listener.ora and then use the reload command.
 
 
 
LSNRCTL> reload
 
This is true for all Oracle versions discussed in this series.
 
 
 
Even if you use a password to protect the listener, you should still use this technique to further restrict the hacker's ability to administer the listener. This is particularly true in Oracle Database 10g, where a listener password is not required for the Oracle software owner.  
 
 
 
==Implications==
 
The implications are negligible. Few users edit parameters online anyway; rather, they edit listener.ora and then reload the listener. Thus, this change will not affect them at all.
 
 
 
Note however that it will no longer be possible to use remote listener control to administer a listener on a different server. Instead, you have to log onto the server to make the change in listener.ora and then reload the listener, which is best practice anyway.
 
 
 
==Action Plan==
 
Place the parameter ADMIN_RESTRICTIONS_LISTENER = ON in the file listener.ora.
 
Reload the listener by issuing lsnrctl reload.
 

Latest revision as of 08:59, 5 November 2007

http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.html#1.7

www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_Listener_TNS_Security.pdf Page 17