Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac5073.htm

Oracle remote buffer overflow



6th Feb 2002 [SBWID-5073]
COMMAND

	Oracle remote buffer overflow

SYSTEMS AFFECTED

	Oracle 9iAS
	 Tested on : Sun SPARC Solaris 2.6,MS Windows NT/2000 Server,HP-UX 11.0/32-bit

	

PROBLEM

	In     David     Litchfield     [http://www.nextgenss.com]      advisory
	[#NISR06022002B] :
	

	There are multiple buffer overflows in  the  PL/SQL  module  for  Oracle
	Application  Server  running  on  Apache  web  servers  that  allow  the
	execution of arbitary code. A non-overflow DoS also exists.
	

	 Description

	 ***********

	

	The web service with Oracle 9iAS is powered by Apache and provides  many
	application environments with which to offer  services  from  the  site.
	These include SOAP, PL/SQL, XSQL and  JSP.  There  are  multiple  buffer
	overrun vulnerabilities in the  PL/SQL  Apache  module  that  allow  the
	execution of arbitrary code.
	

	 Details

	 *******

	

	The PL/SQL module exists  to  allow  remote  users  to  call  procedures
	exported by a PL/SQL package stored in the database server. This  module
	can be overflowed by making an overly long request to the plsql  module;
	An overly long password set in the Authorization HTTP client header;  An
	overly long cache directory name in the cache form;  Setting  an  overly
	long password in the adddad form;
	

	Some of these attacks  require  that  attacker  know  the  name  of  the
	adminPath whereas others do not.
	

	All allow the execution of arbitrary code. On  Windows  NT/2000  systems
	the Oracle Apache web server by default  runs  in  the  context  of  the
	local SYSTEM account so any code will run with full privileges.
	

	

	A further problem also exists whereby a request made to the  pls  module
	with an HTTP client Authorization header set but with no auth type  will
	cause the server to access violate. The server  needs  to  be  restarted
	after an attack.

SOLUTION

	NGSSoftware alerted Oracle to these problems between December  2001  and
	early January 2002. Oracle has produced a patch to  fix  these  problems
	and can be downloaded from the Metalink site :
	

	http://metalink.oracle.com

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH