redirect the processes, the listener process has
to have some operating system level permission to do what it plans
to do. The hackers use this capability of the listener to mount
Oracle MetaLink has examples of what types of
attack are possible and what has been done to prevent them. The good
news is that applying the listener patches for that particular
attack can prevent all of these known potential attacks.
For instance, one attack sends a large string
to the listener to execute. Upon receiving the string, the listener
can't handle the size of the data coming in and therefore errors out
with a buffer overflow condition. The hacker exploits this to bring
down the listener, to achieve what is known as a Denial of Service
attack. After this vulnerability was discovered, Oracle immediately
released a patch that prevented the listener from accepting strings
of large size, foiling the attacker's strategy of making the buffer
Oracle makes known to the community the
vulnerabilities and the solutions through an alert system. These
alerts can be found at Oracle Technology Network's Security Alerts
(http://otn.oracle.com/deploy/security/alerts.htm), for which you do
not have to be an Oracle customer under support contract. A sample
shot of the website is given in Figure 7.7.
Security Alerts in Oracle Technology Network Website
However, the patches are downloaded from Oracle
MetaLink, for which you need to have a valid Oracle Support
contract. Since these potential holes have been sealed by these
patches, the problems will cease to exist simply by applying the
For this reason, the
security patches must be applied as soon as they are released. If
you have applied them, then the vulnerabilities are no longer
applicable. Therefore, this book does not discuss the details of a
problem that no longer exists. If you are still interested to know
these vulnerabilities are manifested and
resolved, you can visit the webpage to see the details.
We strongly advise you to apply these security
patches, if not the regular patchsets, without testing.
Visit the Oracle security alerts website and
apply the security-related patches as soon as they are available.
Most of the attacks in the listener are
executed either by passing a malicious command to be executed in the
operating system, or by modifying the listener settings. The former
is handled by applying the security patches as suggested by the
alerts. The latter can be handled by securing the listener itself.
Most of the settings in the listener can be set
via the command line, from the LSNRCTL prompt. Hackers use this to
pass a damaging command. For instance, the hacker may send the
command STOP, to stop the listener process. Of course, this does not
damage the database itself, but all the client connections
subsequent to this operation will fail, same as in a Denial of
Service attack. This is as bad as the database being down itself.
Another tactic hackers employ is using the
SERVICES command that shows all the relevant information about the
listener process, the database services it is listening for, the
status of these services, etc. This information may be useful to
launch future attacks and should not be shown in an unauthorized
Both of these potential
vulnerabilities can be resolved simply by placing a password for the
listener. If a
password is set for the listener, any command
other than START, STATUS and HELP will first require a correct
Setting a password for listener is the least
security you should have for the listener. By default, it doesn't
have any password and many DBAs simply do not create one. Part of
the reason is the perceived complexity in specifying and using a
password. Here is an explanation of setting the password of a
When the listener is first created, there is no
password. The password is set by the command from the lsnrctl prompt
This will prompt for the old and new passwords,
and when entered, they are not displayed on the screen. When the
listener is initially created, the password is not set, or null. So,
just press the return key when prompted for the old password.
Once the passwords are changed, you have to
supply the password before doing any administrative work, such as
changing a parameter or stopping the listener. The password is set
by the command SET PASSWORD <password>. For instance, to stop the
listener, you would use the following commands in LSNRCTL utility,
assuming the password is t0p53r3t.
Password: Enter t0p53cr3t here; it will not be displayed.
The command completed successfully
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=PROLIGENCE1)(PORT=1521)))
The command completed successfully
This will make the work of the hacker
impossible unless the password is known.
Download your Oracle scripts now:
definitive Oracle Script collection for every Oracle professional DBA