[ISN] Oracle in buffer overflow brown alert

From: InfoSec News (isnat_private)
Date: Tue Nov 12 2002 - 22:31:38 PST

  • Next message: InfoSec News: "[ISN] Cybersecurity bill sent to president"

    By John Leyden
    Posted: 12/11/2002 at 13:28 GMT
    Security researchers are warning of a potentially nasty buffer
    over-run flaw in Oracle Database 9i databases.
    In common with such flaws, a buffer overflow in the iSQL*Plus module
    of Oracle 9i might allow an attacker to run arbitrary code in the
    security context of the Web server. iSQL*Plus is a Web-based
    application that allows users to query the database.
    David Litchfield of NGS Software warns that the problem affects Oracle
    Database 9i R1,2 on all operating systems - not just Web servers. He
    decribes the problem as "high risk".
    In an advisory posted on BugTraq last week he warns: "On most systems
    this will be the 'Oracle' user and on Windows the 'SYSTEM' user. Once
    the web server has been compromised attackers may then use it as a
    staging platform to launch attacks against the database server
    NGS Software alerted Oracle to this problem on the 18th of October and
    Oracle, last week, issued an alert. The Oracle bug number assigned to
    this issue is 2581911. Patches can be downloaded from the Oracle
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 01:03:19 PST