|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
"NERP" DoS attack possible in Oracle
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: "NERP" DoS attack possible in Oracle
- From: Adam Maloney <adamiexposure.com>
- Date: Thu, 27 Aug 1998 09:40:45 -0500
- Reply-To: Adam Maloney <adamiexposure.com>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
NERP DoS attack for Oracle
About two weeks ago I noticed that my NT machine was listening on port 1526.
I did not recognize this port number as a WKS, and it was not listed in NT's
services file, so I becamse suspicious. For lack of a better way, I
telnetted to the port to try and find out what it was:
telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
NERP
Disconnected from kilroy.intexp.com
As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
not kill the process, and after waiting for about 5 minutes for it to go
away, I was forced to reboot my machine.
When my machine came back up, I did a search for tnslsnr80.exe, and found it
in the Oracle directory. Apparently this program listens for connections on
port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere
user to telnet to it and feed it garbage.
I contacted Oracle two weeks ago, first via their web comments page, and
then again via e-mail, and they never acknowledged or responded. It is my
belief that you can bring an NT machine down to it's knees if it is running
Oracle.
System Tested:
NT4.0 SP3 + post SP3 patches
Oracle 8
P-Pro 200, 128MB RAM
I am not 100% sure that this attack can be reproduced on anyone elses
systems. I can reproduce it on my test machine, but all of the people that
I had contacted, asking to try the exploit out have not gotten back to me at
all.
A possible workaround would be to change the port that Oracle listens on to
something random (so that the script kiddies have to hunt for it at least).
I forget where, but I thought I saw a config file that allows you to specify
which port.
BTW, a few people have asked me if NERP is significant...it is not, typing
any random garbage is sufficient. The NERP was just a sporadic random
thought.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Maloney
Systems Administrator
Internet Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Prev by Date: Msproxy LAT
- Next by Date: Re: Directory names with dots
- Prev by thread: Re: Msproxy LAT
- Next by thread: Re: "NERP" DoS attack possible in Oracle
- Index(es):