-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0006
Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
Published: October 9, 2002
Revision: 1.0
http://www.rapid7.com/advisories/R7-0006.txt
Oracle: Oracle Security Alert #42
http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf
CVE: CAN-2002-1118
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118
Bugtraq: 5678
http://online.securityfocus.com/bid/5678
1. Affected system(s):
KNOWN VULNERABLE:
o Oracle 9i Release 2 (9.2.x)
o Oracle 9i Release 1 (9.0.x)
o Oracle 8i (8.1.x)
Apparently NOT VULNERABLE:
o Oracle 8.0.x (but see below)
2. Summary
The Oracle TNS Listener is susceptible to a denial of service attack
when issued the SERVICE_CURLOAD command.
3. Vendor status and information
Oracle, Inc.
http://www.oracle.com
Oracle was notified of this vulnerability and has made patches
available. This issue is being tracked as bug #2540219 in
the Oracle bug database.
4. Solution
Download and apply the vendor-supplied patches. Please see Oracle
Security Alert #42 for more information:
http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf
Please note that patches for some versions and platforms are not
yet available.
5. Detailed analysis
Connecting to the Oracle TNS listener (usually on port 1521) and
issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"
causes the Oracle server to respond with a message indicating
successful execution. However, once the caller closes the
connection, the listener service stops responding. The effects
of this DoS vary depending on how long the attacker keeps the
original connection open. If the caller keeps the listener
connection open while new connections are serviced, the listener
service will be disabled and may crash with an access violation.
If the caller closes the listener connection before other requests
are serviced, the listener service will refuse to accept new
connections.
We were unable to reproduce this issue on Oracle 8.0.6. Version
8.0.6 of Oracle logs a result of 0 (success) in listener.log.
However, the response to the caller contains error code 12629260,
which appears to be a non-standard error code. This may also be
the result of an exceptional condition, but we were unable to crash
or disable the listener in our testing.
6. Contact Information
Rapid 7 Security Advisories
Email: advisoryat_private
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE9pHLTcL76DCfug6wRAn7CAJ4u7Stu8xhHJJ0KdIxzyWomq8s+OwCgpvEJ
xkPC6WztYXEmd1hekDYgLPA=
=n2ee
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Oct 12 2002 - 18:01:59 PDT