Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Rapid 7 Security Advisories (advisory_at_rapid7.com)
Date: Wed Oct 09 2002 - 14:01:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

                         Rapid 7, Inc. Security Advisory

            Visit http://www.rapid7.com/ to download NeXpose(tm), our
             advanced vulnerability scanner. Linux and Windows 2000
                           versions are available now!

    Rapid 7 Advisory R7-0006
    Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

       Published: October 9, 2002
       Revision: 1.0

       Oracle: Oracle Security Alert #42

       CVE: CAN-2002-1118

       Bugtraq: 5678

    1. Affected system(s):

        o Oracle 9i Release 2 (9.2.x)
        o Oracle 9i Release 1 (9.0.x)
        o Oracle 8i (8.1.x)

       Apparently NOT VULNERABLE:
        o Oracle 8.0.x (but see below)

    2. Summary

       The Oracle TNS Listener is susceptible to a denial of service attack
       when issued the SERVICE_CURLOAD command.

    3. Vendor status and information

       Oracle, Inc.

          Oracle was notified of this vulnerability and has made patches
          available. This issue is being tracked as bug #2540219 in
          the Oracle bug database.

    4. Solution

       Download and apply the vendor-supplied patches. Please see Oracle
       Security Alert #42 for more information:


       Please note that patches for some versions and platforms are not
       yet available.

    5. Detailed analysis

       Connecting to the Oracle TNS listener (usually on port 1521) and
       issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"
       causes the Oracle server to respond with a message indicating
       successful execution. However, once the caller closes the
       connection, the listener service stops responding. The effects
       of this DoS vary depending on how long the attacker keeps the
       original connection open. If the caller keeps the listener
       connection open while new connections are serviced, the listener
       service will be disabled and may crash with an access violation.
       If the caller closes the listener connection before other requests
       are serviced, the listener service will refuse to accept new

       We were unable to reproduce this issue on Oracle 8.0.6. Version
       8.0.6 of Oracle logs a result of 0 (success) in listener.log.
       However, the response to the caller contains error code 12629260,
       which appears to be a non-standard error code. This may also be
       the result of an exceptional condition, but we were unable to crash
       or disable the listener in our testing.

    6. Contact Information

       Rapid 7 Security Advisories
       Email: advisoryrapid7.com
       Web: http://www.rapid7.com/
       Phone: +1 (212) 558-8700

    7. Disclaimer and Copyright

       Rapid 7, Inc. is not responsible for the misuse of the information
       provided in our security advisories. These advisories are a service
       to the professional security community. There are NO WARRANTIES
       with regard to this information. Any application or distribution of
       this information constitutes acceptance AS IS, at the user's own
       risk. This information is subject to change without notice.

       This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
       hereby granted to redistribute this advisory, providing that no
       changes are made and that the copyright notices and disclaimers
       remain intact.

    Version: GnuPG v1.0.7 (OpenBSD)

    -----END PGP SIGNATURE-----