Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Do not connect Oracle DB to the Internet. Oracle Alert #59

RE: Do not connect Oracle DB to the Internet. Oracle Alert #59

From: Wolfgang Breitling <breitliw_at_centrexcc.com>
Date: Thu, 23 Oct 2003 06:29:26 -0800
Message-ID: <F001.005D41A2.20031023062926@fatcity.com> 





On Windows servers you don't need Oracle to exploit buffer overflows and 
execute code on the operating system.


Why try and find an unlocked window (no pun here) when the front door is 
wide open.



At 07:44 AM 10/23/2003, you wrote:


>I find it more interesting that the problem doesn't apply to Windows 

>servers... ;)

>

>-----Original Message-----

>From: ml-errors_at_fatcity.com [mailto:ml-errors_at_fatcity.com]On Behalf Of 

>tjambu_fatcity_at_yahoo.com.au

>Sent: 23 October 2003 14:25

>To: Multiple recipients of list ORACLE-L

>Subject: Do not connect Oracle DB to the Internet. Oracle Alert #59

>

>Important:  Please read the following Oracle Alert.

>

>We strongly recommend that you do not connect the Oracle Database

>directly to the Internet.

>

>Got your attention?  That is what is in the Alert.  These alerts are 

>beginning

>to come all too often.  Sounds just like Microsoft's software, yeah?

>

>Buffer Overflow in Oracle Database Server Binaries

>This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file

>in $ORACLE_HOME/bin.

>

>

>Description

>A potential buffer overflow has been discovered in the “oracle” and 

>“oracleO” (the letter O) binaries

>of the Oracle Database. A knowledgeable and malicious local user can 

>exploit this buffer overflow

>to execute code on the operating system hosting the Oracle Database server.

>Products Affected

>· Oracle 9i Database Release 2, Version 9.2.x

>· Oracle 9i Database Release 1, Version 9.0.x

>Platforms Affected

>All supported UNIX and Linux operating system variants.

>

>

>Patch only available for Linux right now.

>

>So who found out this vulnerability? David Litchfield? Aaron Newman?

>I know it is a bit silly to ask but does anyone know how

>to exploit this vulnerability?  Send it to me directly if you dont want to

>reply publicly

>

>ta

>tony




Wolfgang Breitling


Oracle7, 8, 8i, 9i OCP DBA


Centrex Consulting Corporation


http://www.centrexcc.com 



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Wolfgang Breitling
  INET: breitliw_at_centrexcc.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Thu Oct 23 2003 - 09:29:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US