[ISN] Oracle 9i Database, Ap Server bust six ways to Sunday

From: InfoSec News (isnat_private)
Date: Tue Feb 18 2003 - 00:45:01 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al"

    By John Leyden
    Posted: 17/02/2003 
    Oracle admins are in for a busy time with the publication of no less
    than six vulnerabilities over the last week.
    Four of the vulnerabilities are buffer overflow flaws affecting
    various components of Oracle9i Database Server. Then there's two flaws
    affecting Oracle9i Application Server, which pose denial of service
    risks... or worse.
    Some are potentially very nasty indeed. Oracle describes them as
    critical and that's not the half of it...
    The buffer overflows in Database server involve: the ORACLE.EXE
    binary, the TO_TIMESTAMP_TZ function, the TZ_OFFSET function and
    DIRECTORY parameter of Oracle9i Database Server.
    These are explained in greater depth in the BugTraq advisories linked
    to above and the security section of Oracle's Web site.
    The web site also gives more refers to two Oracle9i Application Server
    vulnerabilities (involving DAV_PUBLIC Directory and the mod_oradav
    All vulnerabilities were posted to BugTraq, and patched published by
    Oracle, last weekend. Over the weekend security researchers have been
    digesting these reports, and coming up with some potentially
    unsettling conclusions.
    David Litchfield, of NGSSoftware, the security firm that has carved
    something of a niche for itself in unearthed Oracle flaws (and did the
    lion's share of the work this time too), tells us the majority of the
    Oracle9i Database Server require an attacker to have a valid user name
    and password.
    So the greatest risk here comes from a buffer overflow glitch within
    the Database Server's authentication process, which a post from
    NGSSoftware to BugTraq today explains in much greater depth. Various
    flavours of Database Server (8i, 8.1.7, 8.0.6) as well as Oracle9i are
    potentially vulnerable to this attack, according to NGSSoftware.
    Combine that with an Oracle9i Application Server Format String
    Vulnerability, and we have a way an attacker might gain control of Ap
    Server and get around what firewall rules might otherwise guard
    against attack against (potentially vulnerable) Database Servers.
    Oracle describes this as only a denial of service risk but the issue,
    albeit it tricky to exploit, seems to go deeper than this would
    Litchfield, in masterly understatement, says these various
    vulnerabilities "need attention".
    Once again: Oracle's patches can be obtained via links on its Web site
    here [1].
    [1] http://otn.oracle.com/deploy/security/alerts.htm
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 03:25:03 PST