Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: ciacm037.txt

Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module




Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module

[NGSSoftware Insight Security Research Advisory - NISR06022002B]

February 7, 2002 18:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           There are multiple buffer overflows in the PL/SQL
                    module for Oracle Application Server running on Apache
                    web servers that allow the execution of arbitary code.
 PLATFORM:          Oracle 9iAS running on:
                    Sun SPARC Solaris 2.6
                    MS Windows NT/2000 Server
                    HP-UX 11.0/32-bit
 DAMAGE:            An unauthenticated remote attacker may cause a
                    denial-of-service or execute arbitrary code on the
                    system with the privileges of the Apache process. The
                    Apache service typically runs with SYSTEM privileges
                    on Windows NT and Windows 2000, if exploited the
                    attacker may gain complete control of the system.
 SOLUTION:          Apply the patch as indicated below. The patch can be
                    downloaded at Metalink site
                    (http://metalink.oracle.com).
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is HIGH. Exploiting these vulnerabilities may
 ASSESSMENT:        allow an attacker complete control of the system.
  ------------------------------------------------------------------------

 LINKS:
   CIAC BULLETIN:          http://www.ciac.org/ciac/bulletins/m-037.shtml
   ORIGINAL BULLETIN:      http://www.nextgenss.com/advisories/plsql.txt
   PATCHES:                http://metalink.oracle.com
  ------------------------------------------------------------------------

[***** Start NGSSoftware Insight Security Research Advisory - NISR06022002B *****]

NGSSoftware Insight Security Research Advisory

Name:                   Oracle PL/SQL Apache Module
Systems Affected:       Oracle 9iAS
Platforms:              Sun SPARC Solaris 2.6
                        MS Windows NT/2000 Server
                        HP-UX 11.0/32-bit
Severity:               High Risk
Vendor URL:             http://www.oracle.com/
Author:                 David Litchfield (david@nextgenss.com)
Date:                   6th February 2002
Advisory number:        #NISR06022002B
Advisory URL:           http://www.nextgenss.com/advisories/oraplsbos.txt

Issue
*****
There are multiple buffer overflows in the PL/SQL module for Oracle
Application Server running on Apache web servers that allow the execution
of arbitary code. A non-overflow DoS also exists.

Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many
application environments with which to offer services from the site. These
include SOAP, PL/SQL, XSQL and JSP. There are multiple buffer overrun
vulnerabilities in the PL/SQL Apache module that allow the execution
of arbitrary code.

Details
*******
The PL/SQL module exists to allow remote users to call procedures exported
by a PL/SQL package stored in the database server. This module can be
overflowed by making an overly long request to the plsql module; An overly
long password set in the Authorization HTTP client header; An overly long
cache directory name in the cache form; Setting an overly long password
in the adddad form;

Some of these attacks require that attacker know the name of the adminPath
whereas others do not.

All allow the execution of arbitrary code. On Windows NT/2000 systems
the Oracle Apache web server by default runs in the context of the local
SYSTEM account so any code will run with full privileges.

A further problem also exists whereby a request made to the pls module with
an HTTP client Authorization header set but with no auth type will cause
the server to access violate. The server needs to be restarted after an
attack.

Fix Information
***************
NGSSoftware alerted Oracle to these problems between December 2001 and
early January 2002. Oracle has produced a patch to fix these problems
and can be downloaded from the Metalink site (http://metalink.oracle.com)

[***** End NGSSoftware Insight Security Research Advisory - NISR06022002B *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of NGSSoftware Company for the
information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH