Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Oracle :: orac5741.htm

Oracle TNS listener DoS
11th Oct 2002 [SBWID-5741]

	Oracle TNS listener DoS


	 o Oracle 9i Release 2 (9.2.x)

	 o Oracle 9i Release 1 (9.0.x)

	 o Oracle 8i (8.1.x)



	                     Rapid 7, Inc. Security Advisory


	        Visit to download NeXpose(tm), our

	         advanced vulnerability scanner. Linux and Windows 2000

	                       versions are available now!



	 Rapid 7 Advisory R7-0006

	 Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service


	   Published:  October 9, 2002

	   Revision:   1.0


	   Oracle:     Oracle Security Alert #42


	   CVE:        CAN-2002-1118


	   Bugtraq:    5678


	1. Affected system(s):


	    o Oracle 9i Release 2 (9.2.x)

	    o Oracle 9i Release 1 (9.0.x)

	    o Oracle 8i (8.1.x)


	   Apparently NOT VULNERABLE:

	    o Oracle 8.0.x (but see below)


	2. Summary

	   The Oracle TNS Listener is susceptible to a denial of service attack

	   when issued the SERVICE_CURLOAD command.


	3. Vendor status and information

	   Oracle, Inc.


	      Oracle was notified of this vulnerability and has made patches

	      available.  This issue is being tracked as bug #2540219 in

	      the Oracle bug database.


	4. Solution

	   Download and apply the vendor-supplied patches.  Please see Oracle

	   Security Alert #42 for more information:



	   Please note that patches for some versions and platforms are not

	   yet available.


	5. Detailed analysis

	   Connecting to the Oracle TNS listener (usually on port 1521) and

	   issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"

	   causes the Oracle server to respond with a message indicating

	   successful execution.  However, once the caller closes the

	   connection, the listener service stops responding.  The effects

	   of this DoS vary depending on how long the attacker keeps the

	   original connection open.  If the caller keeps the listener

	   connection open while new connections are serviced, the listener

	   service will be disabled and may crash with an access violation.

	   If the caller closes the listener connection before other requests

	   are serviced, the listener service will refuse to accept new



	   We were unable to reproduce this issue on Oracle 8.0.6.  Version

	   8.0.6 of Oracle logs a result of 0 (success) in listener.log.

	   However, the response to the caller contains error code 12629260,

	   which appears to be a non-standard error code.  This may also be

	   the result of an exceptional condition, but we were unable to crash

	   or disable the listener in our testing.


	6. Contact Information

	   Rapid 7 Security Advisories



	   Phone:   +1 (212) 558-8700


	7. Disclaimer and Copyright

	   Rapid 7, Inc. is not responsible for the misuse of the information

	   provided in our security advisories. These advisories are a service

	   to the professional security community.  There are NO WARRANTIES

	   with regard to this information. Any application or distribution of

	   this information constitutes acceptance AS IS, at the user's own

	   risk.  This information is subject to change without notice.


	   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is

	   hereby granted to redistribute this advisory, providing that no

	   changes are made and that the copyright notices and disclaimers

	   remain intact.



	Version: GnuPG v1.0.7 (OpenBSD)








	See above

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH