NGSSoftware Insight Security Research Advisory

Name: Oracle 9iAS Reports Server
Systems: All
Severity: High Risk
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.oracle.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/orarep.txt
Date: 12th June 2002
Advisory number: #NISR12062002B
(VNA Reference: http://www.nextgenss.com/vna/ora-reports.txt )

Description
***********
Oracle's Report Server contains a remotely exploitable buffer overrun
vulnerability in one of its CGI based programs.

Details
*******
By supplying an overly long database name parameter to the rwcgi60 with the
setauth method, a remote attacker can overwrite a saved return address on
the stack, gaining control over the processes execution.

Any exploit code supplied by the attacker will run in the security context
of account the web server is running as. Normally on platforms running a
unix variant the account has limited privileges; However, on Windows based
system the web server, by default, runs in the context of the local SYSTEM
account.

Fix Information
***************
NGSSoftware alerted Oracle to this problem on December the 17th 2001 and
Oracle have now released patches which are available from the Metalink site.
The patch number is 2356680.