OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Wed Jun 12 2002 - 09:07:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Oracle TNS Listener Buffer Overflow
    Systems: Windows and VM running all versions of Oracle 9i Database
    Severity: High Risk
    Category: Remote Buffer Overrun Vulnerability
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield (davidngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/oratns.txt
    Date: 12th June 2002
    Advisory number: #NISR12062002A
    (VNA reference : http://www.nextgenss.com/vna/ora-lsnr.txt )

    Description
    ***********
    The Oracle Net Listener contains a remotely exploitable buffer overrun
    vulnerability that can allow an attacker to gain complete control of a
    machine running the Oracle 9i Database.

    Details
    *******
    The Listener 'listens' on TCP port 1521 for client request to use the
    database. On receiving a request the client is passed off to an instance of
    the database. The request, packaged in a valid TNS packet is of the form

    (DESCRIPTION=(ADDRESS=
    (PROTOCOL=TCP)(HOST=x.x.x.x)
    (PORT=1521))(CONNECT_DATA=
    (SERVICE_NAME=myorcl.ngssoftware.com)
    (CID=
    (PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
    (HOST=foo)(USER=bar))))

    By supplying an overly long SERVICE_NAME parameter, when forming an error
    message to be written to the log file, a saved return address on the stack
    is overwritten thus gaining control over the processes execution. Any code
    supplied by the attacker will run, by default, in the context of the Local
    SYSTEM account on Windows platforms and as such is a high risk
    vulnerability. Because the overflow occurs before the error message is
    actually written to the log file it may be difficult to detect if an attack
    has occured. Customers are advised to patch this as soon as is possible.

    Fix Information
    ***************
    NGSSoftware alerted Oracle to this problem on the 13th of May and Oracle
    have now released patches which are available from the Metalink site. The
    patch number is 2367681.

    A check for this vulnerability has been added to Typhon II, NGSSoftware's
    vulnerability assessment scanner, of which, more information is available
    from the NGSSite, http://www.ngssoftware.com/