Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: NGSSoftware Insight Security Research (nisrngssoftware.com)
Date: Wed Jun 12 2002 - 09:10:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 9iAS Reports Server
    Systems: All
    Severity: High Risk
    Category: Remote Buffer Overrun Vulnerability
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield (davidngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/orarep.txt
    Date: 12th June 2002
    Advisory number: #NISR12062002B
    (VNA Reference: http://www.nextgenss.com/vna/ora-reports.txt )

    Oracle's Report Server contains a remotely exploitable buffer overrun
    vulnerability in one of its CGI based programs.

    By supplying an overly long database name parameter to the rwcgi60 with the
    setauth method, a remote attacker can overwrite a saved return address on
    the stack, gaining control over the processes execution.

    Any exploit code supplied by the attacker will run in the security context
    of account the web server is running as. Normally on platforms running a
    unix variant the account has limited privileges; However, on Windows based
    system the web server, by default, runs in the context of the local SYSTEM

    Fix Information
    NGSSoftware alerted Oracle to this problem on December the 17th 2001 and
    Oracle have now released patches which are available from the Metalink site.
    The patch number is 2356680.