[NEWS] Oracle TZ_OFFSET Remote System Buffer Overrun
From: support@securiteam.com
Date: 02/17/03
- Previous message: support@securiteam.com: "[NEWS] Lotus Domino Web Server iNotes Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 17 Feb 2003 22:18:05 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Oracle TZ_OFFSET Remote System Buffer Overrun
------------------------------------------------------------------------
SUMMARY
Oracle's database server contains functions for use within queries. The
TZ_OFFSET function returns the time zone offset corresponding to the value
entered based on the date the statement was executed. For example:
SELECT TZ_OFFSET('US/Eastern') FROM DUAL;
Would return the time zone offset value of -04:00. The TZ_OFFSET()
function contains a remotely exploitable buffer overflow vulnerability.
DETAILS
Vulnerable systems:
* All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7,
8.0.6
There exists a remotely exploitable buffer overflow vulnerability in the
TZ_OFFSET function. By supplying a long string of characters for the time
zone name, an attacker can overwrite a saved return address on the stack
of Oracle process. Before this issue can be exploited an attacker must be
able to log on to the database server with a valid user ID and password,
but as the TO_TIMESTAMP_TZ() function can be executed by PUBLIC by default
any user of the system can gain control. Any arbitrary code supplied by an
attacker would execute with the same privileges as the user running the
service; this account is typically "Oracle" on Linux/UNIX based platforms
and Local System on Windows based operating systems such as NT/2000/XP. As
such, this allows for a complete compromise of the data stored in the
database and possibly a complete compromise of the operating system.
Fix Information:
NGSSoftware alerted Oracle to this vulnerability on 30 September 2002.
Oracle has developed a patch that is available from
<http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf>
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Oracle9i Application Server Format String Vulnerability"
- Previous message: support@securiteam.com: "[NEWS] Lotus Domino Web Server iNotes Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
