OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: Mon Nov 04 2002 - 11:48:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    NGSSoftware Insight Security Research Advisory

    Name: Oracle iSQL*Plus buffer overflow
    Systems: Oracle Database 9i R1,2 on all operating systems
    Severity: High Risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield (davidngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/ora-isqlplus.txt
    Date: 4th November 2002
    Advisory number: #NISR04112002

    Description
    ***********
    Oracle iSQL*Plus is a web based application that allows users to query the
    database. It is installed with Oracle 9 database server and runs on top of
    apache. The iSQL*Plus module is vulnerable to a classic buffer overflow
    vulnerability.

    Details
    *******
    The iSQL*Plus web application requires users to log in. After accessing the
    default url, "/isqlplus" a user is presented with a log in screen. By
    sending the web server an overly long user ID parameter, an internal buffer
    is overflow on the stack and the saved return address is overwritten. This
    can allow an attacker to run arbitrary code in the security context of the
    web server. On most systems this will be the "oracle" user and on Windows
    the "SYSTEM" user. Once the web server has been compromised attackers may
    then use it as a staging platform to launch attacks against the database
    server itself.

    Fix Information
    ***************
    NGSSoftware alerted Oracle to this problem on the 18th of October and
    Oracle, last week, issued an alert. The Oracle bug number assigned to this
    issue is 2581911. Patches can be downloaded from the Oracle Metalink site
    http://metalink.oracle.com/.