[NEWS] Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

From: support@securiteam.com
Date: 10/15/02


From: support@securiteam.com
To: list@securiteam.com
Date: 15 Oct 2002 04:05:25 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
------------------------------------------------------------------------

SUMMARY

The Oracle TNS Listener is susceptible to a denial of service attack when
issued the SERVICE_CURLOAD command.

DETAILS

Vulnerable systems:
 * Oracle 9i Release 2 (9.2.x)
 * Oracle 9i Release 1 (9.0.x)
 * Oracle 8i (8.1.x)

Immune systems:
 * Oracle 8.0.x (but see below)

Detailed analysis:
Connecting to the Oracle TNS listener (usually on port 1521) and issuing
the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))" causes the Oracle
server to respond with a message indicating successful execution. However,
once the caller closes the connection, the listener service stops
responding. The effects of this DoS vary depending on how long the
attacker keeps the original connection open. If the caller keeps the
listener connection open while new connections are serviced, the listener
service will be disabled and may crash with an access violation. If the
caller closes the listener connection before other requests are serviced,
the listener service will refuse to accept new connections.

Rapid7 were unable to reproduce this issue on Oracle 8.0.6. Version 8.0.6
of Oracle logs a result of 0 (success) in listener.log. However, the
response to the caller contains error code 12629260, which appears to be a
non-standard error code. This may also be the result of an exceptional
condition, but we were unable to crash or disable the listener in our
testing.

Vendor status and information:
Oracle was notified of this vulnerability and has made patches available.
This issue is being tracked as bug #2540219 in the Oracle bug database.

Solution:
Download and apply the vendor-supplied patches. Please see Oracle Security
Alert #42 for more information:
<http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf>
http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

Please note that patches for some versions and platforms are not yet
available.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://www.rapid7.com/advisories/R7-0006.txt>
http://www.rapid7.com/advisories/R7-0006.txt

The information has been provided by <mailto:advisory@rapid7.com> Rapid 7
Security Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages