[NEWS] Oracle Reports Server Buffer Overflow

From: support@securiteam.com
Date: 06/13/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 13 Jun 2002 07:38:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle Reports Server Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Oracle's Report Server contains a remotely exploitable buffer overrun
vulnerability in one of its CGI based programs.

DETAILS

Vulnerable systems:
 * Oracle 9iAS

By supplying an overly long database name parameter to the rwcgi60 with
the setauth method, a remote attacker can overwrite a saved return address
on the stack, gaining control over the processes execution.

Any exploit code supplied by the attacker will run in the security context
of account the web server is running as. Normally on platforms running a
UNIX variant the account has limited privileges; However, on Windows based
system the web server, by default, runs in the context of the local SYSTEM
account.

Fix Information:
NGSSoftware alerted Oracle to this problem on December the 17th 2001 and
Oracle have now released patches which are available from the Metalink
site. The patch number is 2356680.

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@ngssoftware.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NEWS] Oracle TNS Listener Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Oracle Net Listener contains a remotely exploitable buffer overrun ... The Listener 'listens' on TCP port 1521 for client request to use the ...
    (Securiteam)
  • [NEWS] JSP Translation File Access under Oracle 9iAS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... include SOAP, PL/SQL, XSQL, and JSP. ... Oracle was informed of these issues on 17 December. ...
    (Securiteam)
  • [NEWS] SpiDynamics WebInspect Keeps Track of Its Users (Trial License)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WebInspect, S.P.I. Dynamic's premier product, is a network-based web ... We make no effort to hide that this remote authentication is done. ...
    (Securiteam)
  • [NT] DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... requests and to allow attackers to download files that reside the outside ...
    (Securiteam)
  • [UNIX] Multiple Security Issues in Geeklog (XSS, SQL Inject)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the vulnerabilities would allow a remote attacker to ... SQL Injection: ...
    (Securiteam)