[NEWS] Oracle Unauthenticated Remote System Compromise

From: support@securiteam.com
Date: 02/17/03

  • Next message: support@securiteam.com: "[NT] Mulitple Vulnerabilities Found in BisonFTP (DoS, Directory Traversal @)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 17 Feb 2003 22:09:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Oracle Unauthenticated Remote System Compromise
    ------------------------------------------------------------------------

    SUMMARY

    Oracle is the leader in the database market with a 54% market share lead
    under ERP (Enterprise Resource Planning). The database server is
    vulnerable to a remotely exploitable buffer overflow vulnerability. What
    exacerbates this problem is that no valid User ID or password is required
    by an attacker.

    DETAILS

    Vulnerable systems:
     * All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7,
    8.0.6

    There is a remotely exploitable buffer overflow vulnerability in the
    authentication process with the Oracle Database Server. By supplying an
    overly long username when attempting to log onto the database server an
    attacker can overflow a stack based buffer overwriting the saved return
    address. Any arbitrary code supplied by an attacker would execute with the
    same privileges as the user running the service; this account is typically
    "Oracle" on Linux/UNIX based platforms and Local System on Windows based
    operating systems such as NT/2000/XP. As such this allows for a complete
    compromise of the data stored in the database and possibly a complete
    compromise of the operating system. As most client applications for Oracle
    will truncate the length of the username that can be supplied to the
    database an attacker would need to write their own Oracle "Authenticator"
    to exploit this issue. That said, NGSSoftware has found one client
    application that will allow longer usernames so to test if you are
    vulnerable to this issue, use the LOADPSP utility usually found in "bin"
    directory found under the OracleHomeInstallDirectory. On Windows, for
    example, run:

    C:\ora9ias\BIN>loadpsp -name -user LONGUSERNAME/tiger@iasdb myfile

    Fix Information:
    NGSSoftware alerted Oracle to this vulnerability on 30 September 2002.
    Oracle has reviewed the code and created a patch that is available from:
     <http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf>
    http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf

    NGSSoftware advise Oracle database customers to review and install the
    patch as a matter of urgency.

    It is further recommend that Oracle DBAs have their network/firewall
    administrators ensure that the database server is protected from Internet
    sourced traffic.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nisr@nextgenss.com>
    NGSSoftware Insight Security Research.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages