-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid 7, Inc. Security Advisory

        Visit http://www.rapid7.com/ to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0006
Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

   Published:  October 9, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0006.txt

   Oracle:     Oracle Security Alert #42
   http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

   CVE:        CAN-2002-1118
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118

   Bugtraq:    5678
   http://online.securityfocus.com/bid/5678

1. Affected system(s):

   KNOWN VULNERABLE:
    o Oracle 9i Release 2 (9.2.x)
    o Oracle 9i Release 1 (9.0.x)
    o Oracle 8i (8.1.x)

   Apparently NOT VULNERABLE:
    o Oracle 8.0.x (but see below)

2. Summary

   The Oracle TNS Listener is susceptible to a denial of service attack
   when issued the SERVICE_CURLOAD command.

3. Vendor status and information

   Oracle, Inc.
   http://www.oracle.com

      Oracle was notified of this vulnerability and has made patches
      available.  This issue is being tracked as bug #2540219 in
      the Oracle bug database.

4. Solution

   Download and apply the vendor-supplied patches.  Please see Oracle
   Security Alert #42 for more information:

         http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

   Please note that patches for some versions and platforms are not
   yet available.

5. Detailed analysis

   Connecting to the Oracle TNS listener (usually on port 1521) and
   issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"
   causes the Oracle server to respond with a message indicating
   successful execution.  However, once the caller closes the
   connection, the listener service stops responding.  The effects
   of this DoS vary depending on how long the attacker keeps the
   original connection open.  If the caller keeps the listener
   connection open while new connections are serviced, the listener
   service will be disabled and may crash with an access violation.
   If the caller closes the listener connection before other requests
   are serviced, the listener service will refuse to accept new
   connections.

   We were unable to reproduce this issue on Oracle 8.0.6.  Version
   8.0.6 of Oracle logs a result of 0 (success) in listener.log.
   However, the response to the caller contains error code 12629260,
   which appears to be a non-standard error code.  This may also be
   the result of an exceptional condition, but we were unable to crash
   or disable the listener in our testing.

6. Contact Information

   Rapid 7 Security Advisories
   Email:   advisory@rapid7.com
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information. Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9pHLTcL76DCfug6wRAn7CAJ4u7Stu8xhHJJ0KdIxzyWomq8s+OwCgpvEJ
xkPC6WztYXEmd1hekDYgLPA=
=n2ee
-----END PGP SIGNATURE-----