Fw: "NERP" DoS attack possible in Oracle

From: Adam Maloney (adamat_private)
Date: Mon Dec 28 1998 - 17:28:08 PST

Next message: leshka: "Local/remote exploit for SCO UNIX."

Previous message: Jason Ackley: "Oracle8 TNSLSNR DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This was my original posting to NTBugtraq back in August.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                  Adam Maloney
            Systems  Administrator
                Internet  Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: Adam Maloney <adamat_private>
To: NTBUGTRAQat_private <NTBUGTRAQat_private>
Date: Thursday, August 27, 1998 12:27 PM
Subject: "NERP" DoS attack possible in Oracle


>NERP DoS attack for Oracle
>
>About two weeks ago I noticed that my NT machine was listening on port
1526.
>I did not recognize this port number as a WKS, and it was not listed in
NT's
>services file, so I becamse suspicious.  For lack of a better way, I
>telnetted to the port to try and find out what it was:
>
>telnet localhost 1526
>Connected to kilroy.intexp.com on port 1526
>NERP
>
>Disconnected from kilroy.intexp.com
>
>As soon as I disconnected, my CPU usage jumped to 100%.  Upon looking at
>Taskman, I saw that a process named tnslsnr80.exe was the culprit.  I could
>not kill the process, and after waiting for about 5 minutes for it to go
>away, I was forced to reboot my machine.
>
>When my machine came back up, I did a search for tnslsnr80.exe, and found
it
>in the Oracle directory.  Apparently this program listens for connections
on
>port 1526 (port 1521 may be vulnerable as well), and is not expecting a
mere
>user to telnet to it and feed it garbage.
>
>I contacted Oracle two weeks ago, first via their web comments page, and
>then again via e-mail, and they never acknowledged or responded.  It is my
>belief that you can bring an NT machine down to it's knees if it is running
>Oracle.
>
>System Tested:
>NT4.0 SP3 + post SP3 patches
>Oracle 8
>P-Pro 200, 128MB RAM
>
>I am not 100% sure that this attack can be reproduced on anyone elses
>systems.  I can reproduce it on my test machine, but all of the people that
>I had contacted, asking to try the exploit out have not gotten back to me
at
>all.
>
>A possible workaround would  be to change the port that Oracle listens on
to
>something random (so that the script kiddies have to hunt for it at least).
>I forget where, but I thought I saw a config file that allows you to
specify
>which port.
>
>BTW, a few people have asked me if NERP is significant...it is not, typing
>any random garbage is sufficient.  The NERP was just a sporadic random
>thought.
>
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>                  Adam Maloney
>            Systems  Administrator
>                Internet  Exposure
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>

Next message: leshka: "Local/remote exploit for SCO UNIX."
Previous message: Jason Ackley: "Oracle8 TNSLSNR DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:33 PDT