[NEWS] ORACLE bfilename Function Buffer Overflow Vulnerability
From: support@securiteam.com
Date: 02/17/03
- Previous message: support@securiteam.com: "[UNIX] CGI SAPI Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 17 Feb 2003 22:38:42 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
ORACLE bfilename Function Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Oracle's database server contains functions for use within queries. The
bfilename() function returns a BFILE locator to a binary large object
stored in the database. A vulnerability in the functions allows a remote
attacker to overflow an internal buffer causing it to execute arbitrary
code.
DETAILS
Vulnerable systems:
* All platforms; Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7,
8.0.6
The bfilename() function suffers from a remotely exploitable buffer
overrun when an overly long DIRECTORY parameter is supplied. Before this
issue can be exploited an attacker must be able to log on to the database
server with a valid user ID and password, but as the bfilename() function
can be executed by PUBLIC by default any user of the system can gain
control. Any arbitrary code supplied by an attacker would execute with the
same privileges as the user running the service; this account is typically
"Oracle" on Linux/UNIX based platforms and Local System on Windows based
operating systems such as NT/2000/XP. As such, this allows for a complete
compromise of the data stored in the database and possibly a complete
compromise of the operating system.
Fix Information:
NGSSoftware alerted Oracle to this vulnerability on 30 September 2002.
Oracle has developed a patch that is available from
<http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf>
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] NetCharts XBRL Server Information Leakage Vulnerability"
- Previous message: support@securiteam.com: "[UNIX] CGI SAPI Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
