Reported February 6, 2002, by Next Generation Security Software, LTD.
Oracle 9 and Oracle 8 for Windows 2000 and Windows NT 4.0
A vulnerability exists in Oracle’s Database server versions 8 and 9 for Windows 2000 and Windows NT 4.0. Because no authentication is used when the Procedural Language/Structured Query Language (PL/SQL) runs an external procedure it may be possible for an attacker to connect to the listener/extproc over TCP and call any function that the system has access to. A more detailed explanation is available in the discoverer’s advisory.
Oracle was contacted last summer and is working on a patch to correct this issue. A workaround is to block the TNS Listener port (1521) behind a firewall and remove the PLSExtproc functionality if it is not being used. This can be done by removing the entries located in the files tnsnames.ora and listener.ora.
Discovered by David Litchfield.