Possible Oracle Listener Problems


SARA Note: The test to confirm this vulnerability was not run since the Oracle Listener was using a non-standard logfile. Attempts to confirm the vulnerability could move the logfile from its custom place.

Summary

Oracle listener is installed with provisions for the user to change the locations of the log and trace files. This could lead to a compromised system if a crafted command was constructed through the listener process.

Impact

The commands SET LOG_FILE and SET TRC_FILE allow the log and trace files, respectively, to which the listener program writes, to be modified dynamically while the listener program is running. The listener process can be configured to append and/or/overwrite logging and tracing information to any operating system file that can be written by the Oracle owner and potentially introduce malicious codeinto the operating system.

Fix