OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
"NERP" DoS attack possible in Oracle
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"NERP" DoS attack possible in Oracle


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: "NERP" DoS attack possible in Oracle
  • From: Adam Maloney <adamiexposure.com>
  • Date: Thu, 27 Aug 1998 09:40:45 -0500
  • Reply-To: Adam Maloney <adamiexposure.com>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

NERP DoS attack for Oracle

About two weeks ago I noticed that my NT machine was listening on port 1526.
I did not recognize this port number as a WKS, and it was not listed in NT's
services file, so I becamse suspicious.  For lack of a better way, I
telnetted to the port to try and find out what it was:

telnet localhost 1526
Connected to kilroy.intexp.com on port 1526
NERP

Disconnected from kilroy.intexp.com

As soon as I disconnected, my CPU usage jumped to 100%.  Upon looking at
Taskman, I saw that a process named tnslsnr80.exe was the culprit.  I could
not kill the process, and after waiting for about 5 minutes for it to go
away, I was forced to reboot my machine.

When my machine came back up, I did a search for tnslsnr80.exe, and found it
in the Oracle directory.  Apparently this program listens for connections on
port 1526 (port 1521 may be vulnerable as well), and is not expecting a mere
user to telnet to it and feed it garbage.

I contacted Oracle two weeks ago, first via their web comments page, and
then again via e-mail, and they never acknowledged or responded.  It is my
belief that you can bring an NT machine down to it's knees if it is running
Oracle.

System Tested:
NT4.0 SP3 + post SP3 patches
Oracle 8
P-Pro 200, 128MB RAM

I am not 100% sure that this attack can be reproduced on anyone elses
systems.  I can reproduce it on my test machine, but all of the people that
I had contacted, asking to try the exploit out have not gotten back to me at
all.

A possible workaround would  be to change the port that Oracle listens on to
something random (so that the script kiddies have to hunt for it at least).
I forget where, but I thought I saw a config file that allows you to specify
which port.

BTW, a few people have asked me if NERP is significant...it is not, typing
any random garbage is sufficient.  The NERP was just a sporadic random
thought.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                  Adam Maloney
            Systems  Administrator
                Internet  Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-