On Fri, 20 Apr 2001, Stephen Oberther wrote: > > Oracle 8 servers running Windows NT 4.0 (SP6) and does not require any > > authentication credentials to succeed. I have not tried it on any other versions > > or platforms. > > This works on Oracle 8 running on Solaris 8 as well. No credentials > needed to do the name lookup either it just eats up a processor. Good > thing it isn't threaded. There were some remote DoS and general security bugs in the Oracle tnslsnr in (at least) 8.1.6. This was reported to Oracle back in October 2000; 8.1.7 fixes the DoS and most of the security problems (TNS 'query leaking' is still possible in 8.1.7 -- by sending tnslsnr a packet with a bogus length, it's possible to see the contents of previous TNS packets. While this won't reveal past SQL sessions, it does show usernames and other oddities.) http://otn.oracle.com/deploy/security/alerts.htm http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0818 http://xforce.iss.net/alerts/advise66.php http://www.jammed.com/~jwa/hacks/security/tnscmd/ - my kludgy 'tnsping' James
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:38:26 PDT