[VulnWatch] Oracle extproc buffer overflow (#NISR23122004A)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Oracle extproc directory traversal (#NISR23122004B)"
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Thu, 23 Dec 2004 16:32:09 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g extproc buffer overflow
    Systems Affected: Oracle 10g on all operating systems
    Severity: High Risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR23122004A
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004.txt

    Description
    ***********
    The Oracle database server supports PL/SQL, a programming language. PL/SQL
    can execute external procedures via extproc. Over the past few years there
    has been a number of vulnerabilities in this area:

    http://www.nextgenss.com/advisories/oraplsextproc.txt
    http://www.nextgenss.com/advisories/ora-extproc.txt

    Extproc has been found to suffer from another buffer overflow vulnerability.

    Details
    *******
    Oracle 10g imposes a length limit on the library name to be loaded by
    extproc. However, this length limit can be evaded by passing environment
    variables as part of the library name. Later on the environment variable is
    expanded allowing the buffer overflow to be exploited. For example '$PATH'
    is 5 characters long; this passes the length check. However, when expanded
    '$PATH' becomes many more characters.
    Exploitation depends upon the system setup but by trial and error a balance
    can be found allowing arbitrary code to be executed. No user ID or password
    is required to exploit this vulnerability.

    Fix Information
    ***************
    A patch (#68) was released for this problem by Oracle. See
    http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
    (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
    your Oracle servers are vulnerable to this.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: NGSSoftware Insight Security Research: "[VulnWatch] Oracle extproc directory traversal (#NISR23122004B)"