[NEWS] Buffer Overflow Vulnerability in Oracle's "Unbreakable" 9iAS

From: support@securiteam.com
Date: 12/24/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 24 Dec 2001 22:12:19 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow Vulnerability in Oracle's "Unbreakable" 9iAS
------------------------------------------------------------------------

SUMMARY

Oracle 9iAS web service is powered by Apache and provides many application
environments to offer services from the site. These include SOAP, PL/SQL,
XSQL, and JSP. Two security issues exist in the PL/SQL Apache module - one
a buffer overrun vulnerability and the second a directory traversal issue.
The directory traversal issue affects only Windows NT/2000.

DETAILS

Vulnerable systems:
Oracle version 9iAS

The PL/SQL module exists to allow remote users to call procedures exported
by a PL/SQL package stored in the database server. As part of the
functionality offered by the PL/SQL module it is possible to remotely
administer the Database Access Descriptors and from here access help
pages.

Normally, access to the /admin_/ pages is restricted - a userid and
password are required but not for the help pages, however a buffer-overrun
vulnerability exists in the module whereby a request for an overly long
help page will cause the overflow overwriting the saved return address on
the stack. By overwriting this saved return address with an address, that
contains a "call ESP" or "jmp ESP" instruction a potential attack would
land into the user-supplied buffer and any computer code in the buffer
would be executed.

On Windows 2000/NT the apache process is running is the security context
of the SYSTEM account by default so any code executed would do so without
inhibition and an attacker could gain complete control over this system
remotely.

The second issue relates to a double URL decoding problem that allows
attackers to make a special request for a "help" file and break outside of
the web root.

Fix information:
NGSSoftware alerted Oracle to these problems on 18 November who responded
quickly with a patch. This patch has been available from the Metalink site
( <http://metalink.oracle.com> http://metalink.oracle.com) for over a week
and both Oracle and NGSSoftware urge Oracle 9iAS customers to download and
install this patch if they have not already done so. Oracle's advisory on
this issue can be found at
<http://otn.oracle.com/deploy/security/pdf/modplsql.pdf>
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf.

Further to applying the patch it is suggested that the default "/admin_"
path be changed to something else. To do edit the wdbsvr.app file located
in the $ORACLE_HOME$\Apache\modplsql\cfg directory. Edit the "adminPath"
entry.

ADDITIONAL INFORMATION

The information has been provided by <mailto:david@nextgenss.com> David
Litchfield.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages
Quantcast