From: Adam Maloney (adam@iexposure.com)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Thu, 27 Aug 1998 09:40:45 -0500
Subject: "NERP" DoS attack possible in Oracle
NERP DoS attack for Oracle
About two weeks ago I noticed that my NT machine was listening on port 1526.
I did not recognize this port number as a WKS, and it was not listed in NT's
services file, so I becamse suspicious. For lack of a better way, I
telnetted to the port to try and find out what it was:
telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
NERP
Disconnected from kilroy.intexp.com
As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
not kill the process, and after waiting for about 5 minutes for it to go
away, I was forced to reboot my machine.
When my machine came back up, I did a search for tnslsnr80.exe, and found it
in the Oracle directory. Apparently this program listens for connections on
port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere
user to telnet to it and feed it garbage.
I contacted Oracle two weeks ago, first via their web comments page, and
then again via e-mail, and they never acknowledged or responded. It is my
belief that you can bring an NT machine down to it's knees if it is running
Oracle.
System Tested:
NT4.0 SP3 + post SP3 patches
Oracle 8
P-Pro 200, 128MB RAM
I am not 100% sure that this attack can be reproduced on anyone elses
systems. I can reproduce it on my test machine, but all of the people that
I had contacted, asking to try the exploit out have not gotten back to me at
all.
A possible workaround would be to change the port that Oracle listens on to
something random (so that the script kiddies have to hunt for it at least).
I forget where, but I thought I saw a config file that allows you to specify
which port.
BTW, a few people have asked me if NERP is significant...it is not, typing
any random garbage is sufficient. The NERP was just a sporadic random
thought.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Maloney
Systems Administrator
Internet Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From: Adam Maloney (adam@iexposure.com)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Thu, 27 Aug 1998 14:43:07 -0500
Subject: Re: NERP DoS attack for Oracle
Forgive me, the NT machine in question was an Oracle 8 SERVER, not the
client.
From: Jon & Sheri Christiansen (jonsheri@ROCHESTER.RR.COM)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Thu, 27 Aug 1998 21:56:39 -0400
Subject: Re: "NERP" DoS attack possible in Oracle
Thanks for the alert.... that's one definitely worth testing out... if I
find it I will log a call with Oracle support... I don't want such a simple
exploit just sitting there waiting for someone with too much time on their
hands.
Further info that may help you:
Ports 1521/1526 are the default port numbers Oracle will listen on for
SQL*Net (Oracle 7) or Net8 (Oracle 8) out of the box. There is a file in
directory %ORACLE_HOME%\network\admin (Oracle 7) or %ORACLE_HOME%\net8\admin
(Oracle 8) called listener.ora that specifies the ports to listen on. (if
you change it you need to change the tnsnames.ora file on all clients that
connect to it - including itself, that file usually resides in the same
location- if you don't they will not know which port to try to connect to)
On customized setups, the file may not be located in the original location,
in these cases, look under the registry entry:
KKEY_LOCAL_MACHINE/Software/Oracle for an entry called TNS_ADMIN which if
defined tells Oracle where to look for the network related *.ORA files.
I will have to test this out on my own against this specific "attack", but
there are other methods of protection, i.e. PROTOCOL.ORA will allow you to
specify which IP addresses (include/exclude rules) you will accept
connections from. There is usually a text file buried underneath the
%ORACLE_HOME%\net8 directory that gives you almost all the different entries
for the various Oracle network *.ORA files in case you need to find
syntax/examples.
Hope this helps
-Jon
-----Original Message-----
From: Windows NT BugTraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Adam Maloney
Sent: Thursday, August 27, 1998 10:41 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: "NERP" DoS attack possible in Oracle
NERP DoS attack for Oracle
.
.
.
telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
NERP
Disconnected from kilroy.intexp.com
As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
not kill the process, and after waiting for about 5 minutes for it to go
away, I was forced to reboot my machine.
When my machine came back up, I did a search for tnslsnr80.exe, and found it
in the Oracle directory. Apparently this program listens for connections on
port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere
user to telnet to it and feed it garbage.
.
.
.
A possible workaround would be to change the port that Oracle listens on to
something random (so that the script kiddies have to hunt for it at least).
I forget where, but I thought I saw a config file that allows you to specify
which port.
From: Joe Miller (joemiler@CLARK.NET)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 28 Aug 1998 09:03:20 -0400
Subject: Re: "NERP" DoS attack possible in Oracle
On Thu, 27 Aug 1998, Adam Maloney wrote:
> A possible workaround would be to change the port that Oracle listens on to
> something random (so that the script kiddies have to hunt for it at least).
> I forget where, but I thought I saw a config file that allows you to specify
> which port.
The initialization file for the Oracle Listener is called "Listener.ora",
and can be found in your "\ORANT\NET80\ADMIN". This file determines the
protocols/ports which Oracle uses to listen for database connections. If
you are running a database and a web server on the same machine, there is
no need to listen for TCP connections. I would either use the Oracle
Bequest method or IPC for local connections. There should be a few lines
in the initialization file something like this:
(ADDRESS=
(PROTOCOL= TCP)
(Host= kilroy)
(Port= 15The initialization file for the Oracle Listener is
called "Listener.ora",
and can be found in your "\ORANT\NET80\ADMIN". This file determines the
protocols/ports which Oracle uses to listen for database connections. If
you are running a database and a web server on the same machine, there is
no need to listen for TCP connections. I would either use the Oracle
Bequest method or IPC for local connections. There should be a few lines
in the inThe initialization file for the Oracle Listener is called
"Listener.ora",
and can be found in your "\ORANT\NET80\ADMIN". This file determines the
protocols/ports which Oracle uses to listen for database connections. If
you are running a database and a web server on the same machine, there is
no need to listen for TCP connections. I would either use the Oracle
Bequest method or IPC for local connections. There should be a few lines
in the initialization file something like this:
(ADDRESS=
(PROTOCOL= TCP)
(Host= kilroy)
(Port= 1526)
)
You could change either change the port listed here or remove the entry
entirely and restart the Oracle Listener if you are not connecting to the
database via TCP to port 1526. I would remove all protocols/ports not in
use in this file.
Joe Miller
joemiler@clark.net
From: "Reed, Dennis" (DJR3@PGE.COM)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 28 Aug 1998 08:08:57 -0700
Subject: Re: NERP DoS attack possible in Oracle
NOTE! The following is based on my personal experience and
recollection and is not to be construed as official advice from PG&E or
Oracle Corp. Use at your own risk. Better yet, if you have an Oracle
installation (which you must have if there's an \oracle or \orawin subdir),
contact your DBA and get your Oracle CSI (customer support info)
number from them, then call Oracle at 800-223-1711 for official help!
----------------------------------------------------------------------------
----------------
TNSLSNR is the Oracle executable loaded on server machines
hosting Oracle databases which allows clients to connect to
the database using Oracle's proprietary SQL*Net protocol. The
Listener (like IIS) sits there on the port waiting for connect requests
from client machines. Ports commonly used on my servers/clients
range from 1521 (the default) to 1528 (on a server with multiple
databases/listeners).
There should be a file called LISTENER.ORA in the Oracle
subdirectory tree (usually under network\admin or something similar)
which contains settings related to how the Listener functions.
One of the settings in this file can be used to shut down the
connection if invalid (non-database) connections are made.
CONNECT_TIMEOUT_listenername
sets the # of seconds listener will listen for a valid database query
after session is started. Default=10 seconds, 0=forever.
There should also be a file called SQLNET.ORA which contains a
setting called SQLNET.EXPIRE_TIME. This setting (in minutes)
determines how often the Listener sends a probe to determine if
the connection to the client is still alive. I believe that it will only
return a "connection still alive" result if connected to a SQL*Net
client (not, for instance, a Telnet session). Default=0 (no probe),
recommended value=10 (minutes). If no live session is found,
the connection will be broken and the Listener returned to its
normal "listening" state. At that point, CPU usage should go back
down well below 100%.
Dennis Reed
DBA, Maintenance Department
Pacific Gas & Electric Co.
Standard Disclaimers Apply.
From: Jason Ackley (jason@ACKLEY.NET)
To: BUGTRAQ@netspace.org
Date: Thu, 7 Jan 1999 17:31:13 -0800
Subject: Re: Fw:"NERP" DoS attack possible in Oracle
On Wed, 6 Jan 1999, Paul Schenk wrote:
> In fact, on HP-UX 10.20, Oracle 7.3.3, in listener.log you get:
>
> 06-JAN-99 16:15:45 * 12569
> TNS-12569: TNS:packet checksum failure
>
> And tnslistner continues happily along at ~0 CPU usage, it even accepts and
> processes new connections fine.
>
> So its either an Oracle 8/NT thing or a misconfiguration
I sent this to Aleph1, but I guess he was busy, in regards to OS
combinations:
---
From: bruce_redmon@sra.com
I tested this on Sequent Dynix and sure enough it runs the process out of
control. If it happens on this platform I suspect this can happen on any
platform.
---
From: bcf@jwfc.acom.mil
confirmed on Oracle 8.0.3 on Solaris 2.6 port 1521
confirmed on Oracle 8.0.5 on Solaris 2.6 port 1526
---
From: giblin
Hello,
I gave it a try on a Solaris 2.6 ( heavily patched ) and Oracle 8.0.4
Database CPU utilization climbed and hovered at a high 49.9x% and didn't
fall below 49.7x%. This is on a UE450 with 2 processors and 1.5GB RAM.
Oracle required a restart to get it back into previous working
condition. Hmmm... Nice :)
---
From: Adam vonNieda
I've tried the bug on my Linux box, (8.0.5), and it pegged instantly.
I then tried it on one of my IBM SP (8 way) nodes running AIX 4.3 and
Oracle 8.0.4.2.1, and essentially lost the processor that the listener
is attached to instantly. So, it won't totally dog an SMP machine, but I
wouldn't expect much response from the listener! Thanks for the info.
---
From: gabriel magee
I just tried it on NT SP3 (+hotfixes) Oracle 8.0.5.0.0 Production on a
PII/350 with the same results. 100% CPU until you kill the listener.
Could maybe choose a different protocol adapter in the meantime, too...
---
Many thanks to everyone that sent in reports! We still seem to be missing
information for SGI/IRIX, any takers?
cheers,
--
Jason Ackley jason@ackley.net