[NEWS] Oracle Database Link Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 04/30/03

  • Next message: SecuriTeam: "[NT] Vulnerabilities in Kerio Personal Firewall (Buffer Overflow, Replay)"
    To: list@securiteam.com
    Date: 30 Apr 2003 11:11:15 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Oracle Database Link Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Oracle is the leader in the database market with a 54% market share lead
    under ERP (Enterprise Resource Planning). The database server is
    vulnerable to a remotely exploitable buffer overflow vulnerability. The
    problem exists with database links; functionality that allows the querying
    of one Oracle database server from another.

    DETAILS

    Vulnerable systems:
     * All platforms; Oracle9i Database Release 2 and 1, 8i all releases, 8
    all releases, 7.3.x

    A classic stack based buffer overflow vulnerability exists in the Oracle
    database server that can be set up for exploitation by providing an overly
    long parameter for a connect string with the 'CREATE DATABASE LINK' query:

    CREATE DATABASE LINK ngss
    CONNECT TO hr
    IDENTIFIED BY hr
    USING 'longstring'

    By default, the 'CREATE DATABASE LINK' privilege is assigned to the
    CONNECT role and as most Oracle accounts are assigned membership of this
    role even low privileged accounts such as SCOTT and ADAMS can create
    database links. By creating a specially crafted database link and then by
    selecting from the link:

     select * from table@ngss

    The overflow can be triggered, overwriting the saved return address on the
    stack. This allows an attacker to gain control of the Oracle process' path
    of execution and permits the execution of arbitrary, user supplied code.
    Any code supplied would run in the security context of the account running
    the Oracle database server. On UNIX based systems this is typically the
    'oracle' user and on Windows the local SYSTEM user. In the former, this
    allows for a full compromise of the data and in the latter a full
    compromise of the data and the operating system.

    This is a high-risk vulnerability and as such should be patched as soon as
    possible, after a suitable period of testing.

    Fix Information:
    NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
    Oracle has reviewed the code and created a patch that is available from:

     <http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf>
    http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

    NGSSoftware advise Oracle database customers to review and install the
    patch as a matter of urgency.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nisr@nextgenss.com>
    NGSSoftware Insight Security Research.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerabilities in Kerio Personal Firewall (Buffer Overflow, Replay)"