[VulnWatch] Oracle iSQL*Plus buffer overflow vulnerability (#NISR04112002)

From: NGSSoftware Insight Security Research (nisr@nextgenss.com)
Date: 11/04/02


From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
Date: Mon, 4 Nov 2002 17:48:17 -0000

NGSSoftware Insight Security Research Advisory

Name: Oracle iSQL*Plus buffer overflow
Systems: Oracle Database 9i R1,2 on all operating systems
Severity: High Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/ora-isqlplus.txt
Date: 4th November 2002
Advisory number: #NISR04112002

Description
***********
Oracle iSQL*Plus is a web based application that allows users to query the
database. It is installed with Oracle 9 database server and runs on top of
apache. The iSQL*Plus module is vulnerable to a classic buffer overflow
vulnerability.

Details
*******
The iSQL*Plus web application requires users to log in. After accessing the
default url, "/isqlplus" a user is presented with a log in screen. By
sending the web server an overly long user ID parameter, an internal buffer
is overflow on the stack and the saved return address is overwritten. This
can allow an attacker to run arbitrary code in the security context of the
web server. On most systems this will be the "oracle" user and on Windows
the "SYSTEM" user. Once the web server has been compromised attackers may
then use it as a staging platform to launch attacks against the database
server itself.

Fix Information
***************
NGSSoftware alerted Oracle to this problem on the 18th of October and
Oracle, last week, issued an alert. The Oracle bug number assigned to this
issue is 2581911. Patches can be downloaded from the Oracle Metalink site
http://metalink.oracle.com/.



Relevant Pages

  • ASP.NET Impersonation to access Oracle database...
    ... I am trying to work out how I can use impersonation to connect to an Oracle ... Currently the database and the ... stored in the registry on the Web Server to achieve the same result. ... I have kept the appSettings section but removed the username and password: ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • ASP.NET Impersonation to access Oracle database...
    ... I am trying to work out how I can use impersonation to connect to an Oracle ... Currently the database and the ... stored in the registry on the Web Server to achieve the same result. ... I have kept the appSettings section but removed the username and password: ...
    (microsoft.public.dotnet.framework.aspnet)
  • ASP.NET Impersonation to access Oracle database...
    ... I am trying to work out how I can use impersonation to connect to an Oracle ... Currently the database and the ... stored in the registry on the Web Server to achieve the same result. ... I have kept the appSettings section but removed the username and password: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: What so special about PostgreSQL and other RDBMS?
    ... That's exactly the link the licence agreement for the database points to when it ... comes to what wecan expect for paying support. ... > "Oracle may provide additional releases or versions of its programs ... If the requirements are volatile I'd do a long term contract detailing what ...
    (comp.lang.php)
  • Re: TNS could not resolve the connect identifier
    ... The backend database for my web application is Oracle 10.1.0.2.0. ... machine and the productive web server. ...
    (comp.databases.oracle.server)