Oracle extproc buffer overflow (#NISR23122004A)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "Oracle extproc directory traversal (#NISR23122004B)"
    Date:         Thu, 23 Dec 2004 16:32:09 -0000

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g extproc buffer overflow
    Systems Affected: Oracle 10g on all operating systems
    Severity: High Risk
    Vendor URL:
    Author: David Litchfield [ davidl at ]
    Relates to:
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR23122004A
    Advisory URL:

    The Oracle database server supports PL/SQL, a programming language. PL/SQL
    can execute external procedures via extproc. Over the past few years there
    has been a number of vulnerabilities in this area:

    Extproc has been found to suffer from another buffer overflow vulnerability.

    Oracle 10g imposes a length limit on the library name to be loaded by
    extproc. However, this length limit can be evaded by passing environment
    variables as part of the library name. Later on the environment variable is
    expanded allowing the buffer overflow to be exploited. For example '$PATH'
    is 5 characters long; this passes the length check. However, when expanded
    '$PATH' becomes many more characters.
    Exploitation depends upon the system setup but by trial and error a balance
    can be found allowing arbitrary code to be executed. No user ID or password
    is required to exploit this vulnerability.

    Fix Information
    A patch (#68) was released for this problem by Oracle. See for more details. NGSSQuirreL for Oracle
    (, can be used to assess whether
    your Oracle servers are vulnerable to this.

    About NGSSoftware
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <>  for complete details regarding the
    TICSA credential and to take the free sample exam.

  • Next message: NGSSoftware Insight Security Research: "Oracle extproc directory traversal (#NISR23122004B)"