[ISN] Buffer Overflow in Oracle 9iAS (#NISR20122001)

From: InfoSec News (isnat_private)
Date: Mon Dec 24 2001 - 00:13:07 PST

  • Next message: InfoSec News: "RE: [ISN] *MAJOR SECURITY BREACH AT CCBILL**"

    Forwarded from: Jay D. Dyson <jdysonat_private>
    Courtesy of Bugtraq.
    Well, this sure smacks down Ellison's claim that his software is
    unhackable.  Bleeding moron.  I wonder if he thinks his idea for a
    National ID card is "secure," too?
    I'll point and laugh later.  With any luck, this is just the tip of the
    - ---------- Forwarded message ----------
    Date: Fri, 21 Dec 2001 03:05:57 -0000
    From: David Litchfield <davidat_private>
    To: bugtraqat_private
    Subject: Buffer Overflow in Oracle 9iAS (#NISR20122001)
    NGSSoftware Insight Security Research Advisory
    Name:    Oracle PL/SQL Apache Module
    Systems Affected:  Oracle 9iAS
    Platforms:  Sun SPARC Solaris 2.6
       MS Windows NT/2000 Server
       HP-UX 11.0/32-bit
    Severity:  High Risk
    Vendor URL:   http://www.oracle.com/
    Author:   David Litchfield (davidat_private)
    Date:   20th December 2001
    Advisory number: #NISR20122001
    The web service with Oracle 9iAS is powered by Apache and provides many
    application environmentswith which to offer services from the site. These
    include SOAP, PL/SQL, XSQL and JSP. Two security issues exists in the PL/SQL
    Apache module - one a buffer overrun vulnerability and the second a
    directory traversal issue. The directory traversal issue affects only
    Windows NT/2000.
    The PL/SQL module exists to allow remote users to call procedures exported
    by a PL/SQL package stored in the database server. As part of the
    functionality offered by the PL/SQL module it is possible to remotely
    administer the Database Access Descriptors and from here access help pages.
    Normally, access to the /admin_/ pages is restricted - a UserID and password
    are required but not for the help pages however. A buffer overrun
    vulnerability exists in the module whereby a request for an overly long help
    page will cause the overflow overwriting the saved return address on the
    stack. By overwriting this saved return address with an address that
    contains a "call esp" or "jmp esp" instruction a potential attack would land
    into the user-supplied buffer and any computer code in the buffer would be
    On Windows 2000/NT the apache process is running is the security context of
    the SYSTEM account by default so any code executed would do so without
    inhibition and an attacker could gain complete control over this system
    The second issue relates to a double URL decoding problem that allows
    attackers to make a special request for a "help" file and break outside of
    the web root.
    Fix Information
    NGSSoftware alerted Oracle to these problems on the 18th of November who
    responded quickly with a patch. This patch has been available from the
    Metalink site (http://metalink.oracle.com) for over a week and both Oracle
    and NGSSoftware urge Oracle 9iAS customers to download and install this
    patch if they have not already done so. Oracle's advisory on this issue can
    be found at http://otn.oracle.com/deploy/security/pdf/modplsql.pdf.
    Further to applying the patch it is suggested that the default "/admin_"
    path be changed to something else. To do this edit the wdbsvr.app file
    located in the $ORACLE_HOME$\Apache\modplsql\cfg directory. Edit the
    "adminPath" entry.
    A check for these issues has been added to Typhon II, of which more
    information is available from the NGSSoftware website,
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 06:07:35 PST