Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Oracle :: orac5741.htm

Oracle TNS listener DoS



11th Oct 2002 [SBWID-5741]
COMMAND

	Oracle TNS listener DoS

SYSTEMS AFFECTED

	 o Oracle 9i Release 2 (9.2.x)

	 o Oracle 9i Release 1 (9.0.x)

	 o Oracle 8i (8.1.x)

PROBLEM

	 _______________________________________________________________________

	                     Rapid 7, Inc. Security Advisory

	

	        Visit http://www.rapid7.com/ to download NeXpose(tm), our

	         advanced vulnerability scanner. Linux and Windows 2000

	                       versions are available now!

	 _______________________________________________________________________

	

	 Rapid 7 Advisory R7-0006

	 Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

	

	   Published:  October 9, 2002

	   Revision:   1.0

	   http://www.rapid7.com/advisories/R7-0006.txt

	

	   Oracle:     Oracle Security Alert #42

	   http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

	

	   CVE:        CAN-2002-1118

	   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118

	

	   Bugtraq:    5678

	   http://online.securityfocus.com/bid/5678

	

	1. Affected system(s):
	

	   KNOWN VULNERABLE:

	    o Oracle 9i Release 2 (9.2.x)

	    o Oracle 9i Release 1 (9.0.x)

	    o Oracle 8i (8.1.x)

	

	   Apparently NOT VULNERABLE:

	    o Oracle 8.0.x (but see below)

	

	2. Summary
	

	   The Oracle TNS Listener is susceptible to a denial of service attack

	   when issued the SERVICE_CURLOAD command.

	

	3. Vendor status and information
	

	   Oracle, Inc.

	   http://www.oracle.com

	

	      Oracle was notified of this vulnerability and has made patches

	      available.  This issue is being tracked as bug #2540219 in

	      the Oracle bug database.

	

	4. Solution
	

	   Download and apply the vendor-supplied patches.  Please see Oracle

	   Security Alert #42 for more information:

	

	         http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

	

	   Please note that patches for some versions and platforms are not

	   yet available.

	

	5. Detailed analysis
	 

	   Connecting to the Oracle TNS listener (usually on port 1521) and

	   issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"

	   causes the Oracle server to respond with a message indicating

	   successful execution.  However, once the caller closes the

	   connection, the listener service stops responding.  The effects

	   of this DoS vary depending on how long the attacker keeps the

	   original connection open.  If the caller keeps the listener

	   connection open while new connections are serviced, the listener

	   service will be disabled and may crash with an access violation.

	   If the caller closes the listener connection before other requests

	   are serviced, the listener service will refuse to accept new

	   connections.

	

	   We were unable to reproduce this issue on Oracle 8.0.6.  Version

	   8.0.6 of Oracle logs a result of 0 (success) in listener.log.

	   However, the response to the caller contains error code 12629260,

	   which appears to be a non-standard error code.  This may also be

	   the result of an exceptional condition, but we were unable to crash

	   or disable the listener in our testing.

	

	6. Contact Information
	

	   Rapid 7 Security Advisories

	   Email:   advisory@rapid7.com

	   Web:     http://www.rapid7.com/

	   Phone:   +1 (212) 558-8700

	

	7. Disclaimer and Copyright
	

	   Rapid 7, Inc. is not responsible for the misuse of the information

	   provided in our security advisories. These advisories are a service

	   to the professional security community.  There are NO WARRANTIES

	   with regard to this information. Any application or distribution of

	   this information constitutes acceptance AS IS, at the user's own

	   risk.  This information is subject to change without notice.

	

	   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is

	   hereby granted to redistribute this advisory, providing that no

	   changes are made and that the copyright notices and disclaimers

	   remain intact.

	

	-----BEGIN PGP SIGNATURE-----

	Version: GnuPG v1.0.7 (OpenBSD)

	

	iD8DBQE9pHLTcL76DCfug6wRAn7CAJ4u7Stu8xhHJJ0KdIxzyWomq8s+OwCgpvEJ

	xkPC6WztYXEmd1hekDYgLPA=

	=n2ee

	-----END PGP SIGNATURE-----

	

SOLUTION

	See above


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH