The Oracle TNS Listener version 9i contains a buffer overflow vulnerability which can be exploited over tcp port 1521 to gain remote SYSTEM / root access. By supplying an overly long SERVICE_NAME parameter an attacker can execute code before any logging is done.
09848a3033d275f59cf4d5ef91914e928a9a4fc43a64f46b30fa0e2a771e35d4NGSSoftware Insight Security Research Advisory
Name: Oracle TNS Listener Buffer Overflow
Systems: Windows and VM running all versions of Oracle 9i Database
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.oracle.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/oratns.txt
Date: 12th June 2002
Advisory number: #NISR12062002A
(VNA reference : http://www.nextgenss.com/vna/ora-lsnr.txt )
Description
***********
The Oracle Net Listener contains a remotely exploitable buffer overrun
vulnerability that can allow an attacker to gain complete control of a
machine running the Oracle 9i Database.
Details
*******
The Listener 'listens' on TCP port 1521 for client request to use the
database. On receiving a request the client is passed off to an instance of
the database. The request, packaged in a valid TNS packet is of the form
(DESCRIPTION=(ADDRESS=
(PROTOCOL=TCP)(HOST=x.x.x.x)
(PORT=1521))(CONNECT_DATA=
(SERVICE_NAME=myorcl.ngssoftware.com)
(CID=
(PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
(HOST=foo)(USER=bar))))
By supplying an overly long SERVICE_NAME parameter, when forming an error
message to be written to the log file, a saved return address on the stack
is overwritten thus gaining control over the processes execution. Any code
supplied by the attacker will run, by default, in the context of the Local
SYSTEM account on Windows platforms and as such is a high risk
vulnerability. Because the overflow occurs before the error message is
actually written to the log file it may be difficult to detect if an attack
has occured. Customers are advised to patch this as soon as is possible.
Fix Information
***************
NGSSoftware alerted Oracle to this problem on the 13th of May and Oracle
have now released patches which are available from the Metalink site. The
patch number is 2367681.
A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed