Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> FYI: Buffer Overflow in Oracle 9iAS

FYI: Buffer Overflow in Oracle 9iAS

From: <Jared.Still_at_radisys.com>
Date: Thu, 20 Dec 2001 16:22:24 -0800
Message-ID: <F001.003E1669.20011220161020@fatcity.com> 








NGSSoftware Insight Security Research Advisory



Name:    Oracle PL/SQL Apache Module


Systems Affected:  Oracle 9iAS


Platforms:  Sun SPARC Solaris 2.6


   MS Windows NT/2000 Server


   HP-UX 11.0/32-bit


Severity:  High Risk


Vendor URL:   http://www.oracle.com/


Author:   David Litchfield (david_at_nextgenss.com)
Date:   20th December 2001


Advisory number: #NISR20122001




Description




The web service with Oracle 9iAS is powered by Apache and provides many
application environmentswith which to offer services from the site. These
include SOAP, PL/SQL, XSQL and JSP. Two security issues exists in the
PL/SQL



Apache module - one a buffer overrun vulnerability and the second a
directory traversal issue. The directory traversal issue affects only
Windows NT/2000.




Details




The PL/SQL module exists to allow remote users to call procedures exported
by a PL/SQL package stored in the database server. As part of the
functionality offered by the PL/SQL module it is possible to remotely
administer the Database Access Descriptors and from here access help pages.



Normally, access to the /admin_/ pages is restricted - a UserID and
password


are required but not for the help pages however. A buffer overrun
vulnerability exists in the module whereby a request for an overly long
help


page will cause the overflow overwriting the saved return address on the
stack. By overwriting this saved return address with an address that
contains a "call esp" or "jmp esp" instruction a potential attack would
land


into the user-supplied buffer and any computer code in the buffer would be
executed.



On Windows 2000/NT the apache process is running is the security context of
the SYSTEM account by default so any code executed would do so without
inhibition and an attacker could gain complete control over this system
remotely.



The second issue relates to a double URL decoding problem that allows
attackers to make a special request for a "help" file and break outside of
the web root.




Fix Information




NGSSoftware alerted Oracle to these problems on the 18th of November who
responded quickly with a patch. This patch has been available from the
Metalink site (http://metalink.oracle.com) for over a week and both Oracle
and NGSSoftware urge Oracle 9iAS customers to download and install this
patch if they have not already done so. Oracle's advisory on this issue can
be found at http://otn.oracle.com/deploy/security/pdf/modplsql.pdf.



Further to applying the patch it is suggested that the default "/admin_"
path be changed to something else. To do this edit the wdbsvr.app file
located in the $ORACLE_HOME$\Apache\modplsql\cfg directory. Edit the
"adminPath" entry.



A check for these issues has been added to Typhon II, of which more
information is available from the NGSSoftware website,
http://www.ngssoftware.com.








-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: 


  INET: Jared.Still_at_radisys.com


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu Dec 20 2001 - 18:22:24 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US