Vigil@nce - Oracle Database: data capture via TNS Listener Registration
May 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can register a malicious database instance from the
TNS Listener, in order to capture exchanges between clients and
the legitimate database.
Severity: 2/4
Creation date: 26/04/2012
IMPACTED PRODUCTS
– Oracle Database
DESCRIPTION OF THE VULNERABILITY
The TNS Listener service indicates to clients on which
computer/port they have to connect to access to a database.
Clients then establish a connection to the indicated port, and
send SQL queries.
The TNS Listener Registration feature allows databases to register
themselves to a Listener. So, if several databases with the same
name register to a Listener, clients are alternatively redirected
to a database or to another database.
However, this feature does not require an authentication. An
attacker can then:
– register to the Listener as an instance of MyBase
– wait for a client of the Listener to request an access to MyBase
The Listener then has one chance over two (depending on the load)
to redirect the client to the attacker. The attacker can then
connect to the legitimate database, and use a Man-in-the-Middle
attack.
An attacker can therefore register a malicious database instance
from the TNS Listener, in order to capture exchanges between
clients and the legitimate database.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Oracle-Database-data-capture-via-TNS-Listener-Registration-11569