OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Fw:"NERP" DoS attack possible in Oracle

Re: Fw:"NERP" DoS attack possible in Oracle

Pablo Luis Bucich (pbucicMECON.AR)
Mon, 4 Jan 1999 15:18:30 -0300

Hello

        I'v tested that in :

        SQL*Netv2 at HPUX 10.20 with Oracle 7.3.3,
        SQL*Netv2 at HPUX 9.04 with Oracle 7.1.4,

with zero & one SQL*Netv2 sessions opened, and there is no problem. tnslsnr
goes to sleep immediately when the telnet connection has closed.
Can be some previous load/resource problem ? Or OS-dependant ?

On Mon, 28 Dec 1998, Adam Maloney wrote:

> This was my original posting to NTBugtraq back in August.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>                   Adam Maloney
>             Systems  Administrator
>                 Internet  Exposure
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -----Original Message-----
> From: Adam Maloney <adamiexposure.com>
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
> Date: Thursday, August 27, 1998 12:27 PM
> Subject: "NERP" DoS attack possible in Oracle
>
>
> >NERP DoS attack for Oracle
> >
> >About two weeks ago I noticed that my NT machine was listening on port
> 1526.
> >I did not recognize this port number as a WKS, and it was not listed in
> NT's
> >services file, so I becamse suspicious.  For lack of a better way, I
> >telnetted to the port to try and find out what it was:
> >
> >telnet localhost 1526
> >Connected to kilroy.intexp.com on port 1526
> >NERP
> >
> >Disconnected from kilroy.intexp.com
> >
> >As soon as I disconnected, my CPU usage jumped to 100%.  Upon looking at
> >Taskman, I saw that a process named tnslsnr80.exe was the culprit.  I could
> >not kill the process, and after waiting for about 5 minutes for it to go
> >away, I was forced to reboot my machine.
> >
> SNIP ...
> >
> >I am not 100% sure that this attack can be reproduced on anyone elses
> >systems.  I can reproduce it on my test machine, but all of the people that
> >I had contacted, asking to try the exploit out have not gotten back to me
> at
> >all.
> >
> >BTW, a few people have asked me if NERP is significant...it is not, typing
> >any random garbage is sufficient.  The NERP was just a sporadic random
> >thought.
> >

============================================================================
 Ministerio de Economia y Obras y Servicios Publicos
 Secretaria de Hacienda                    Tel    : +54 1 349-6110
 Pablo Luis Bucich                         Fax    : +54 1 349-6505
 Buenos Aires, Argentina                   e-mail : pbucicmecon.ar
----------------------------------------------------------------------------
Windows 95: n. 32 bit extensions and a graphical shell for a 16 bit patch
            to an 8 bit operating system originally coded for a 4 bit
            microprocessor, written by a 2 bit company that can't stand
                        1 bit of competition.

"Winners don't use Windows" -- Windows: Just Say No