copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2003.0325 -- NGSSoftware Insight Security Resear...
 

ESB-2003.0325 -- NGSSoftware Insight Security Research Advisory -- Oracle Database Link Buffer Overflow
Date: 30 April 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

      ESB-2003.0325 -- NGSSoftware Insight Security Research Advisory
                   Oracle Database Link Buffer Overflow
                               30 April 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Oracle9i Releases 1 and 2
                        Oracle8i (8.1.x)
                        Oracle8 (8.0.x)
                        Oracle7 (7.3.x)
Publisher:              NGSSoftware
Impact:                 Administrator Compromise
                        Execute Arbitrary Code/Commands
Access Required:        Existing Account
CVE Names:              CAN-2003-0222

- --------------------------BEGIN INCLUDED TEXT--------------------

NGSSoftware Insight Security Research Advisory

Name: Oracle Database Link Buffer Overflow
Systems Affected: All platforms; Oracle9i Database Release 2 and 1, 8i all
releases, 8 all releases, 7.3.x
Severity: High Risk
Vendor URL: http://www.oracle.com
Author: David Litchfield (david@ngssoftware.com)
Date: 29th April 2003
Advisory number: #NISR29042003

Description
***********
Oracle is the leader in the database market with a 54% market share lead
under ERP (Enterprise Resource Planning). The database server is vulnerable
to a remotely exploitable buffer overflow vulnerability. The problem exists
with database links; functionality that allows the querying of one Oracle
database server from another.

Details
*******
A classic stack based buffer overflow vulnerability exists in the Oracle
database server that can be set up for exploitation by providing an overly
long parameter for a connect string with the 'CREATE DATABASE LINK' query:

CREATE DATABASE LINK ngss
CONNECT TO hr
IDENTIFIED BY hr
USING 'longstring'

By default, the 'CREATE DATABASE LINK' privilege is assigned to the CONNECT
role and as most Oracle accounts are assigned membership of this role even
low privileged accounts such as SCOTT and ADAMS can create database links.
By creating a specially crafted database link and then by selecting from the
link:

 select * from table@ngss

the overflow can be triggered, overwriting the saved return address on the
stack. This allows an attacker to gain control of the Oracle process' path
of execution and permits the execution of arbitrary, user supplied code. Any
code supplied would run in the security context of the account running the
Oracle database server. On unix based systems this is typically the 'oracle'
user and on Windows the local SYSTEM user. In the former this allows for a
full compromise of the data and in the latter a full compromise of the data
and the operating system.

This is a high risk vulnerability and as such should be patched as soon as
possible, after a suitable period of testing.

Fix Information
***************
NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
Oracle has reviewed the code and created a patch which is available from:

http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

NGSSoftware advise Oracle database customers to review and install the patch
as a matter of urgency.

A check for this issue already exists in NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite

http://www.ngssoftware.com/software/squirrelfororacle.html

It is further recommend that Oracle DBAs have their network/firewall
administrators ensure that the database server is protected from Internet
sourced traffic.


Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/
http://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPq/bfih9+71yA2DNAQF1jwP/elHLm93JxryvrC3FfYbH4B6nkjNi1vBk
AAnHXwLwMpXOMx3amE7grL8TVJ5AYQgiCNnFIANEggSyR9jc29i9UTQUQSyj7dkD
5FPTR5d6T3u5E9tBvMCRvkvTR5tc08HlroZo5QujLS9csX+bEBQAeVtqOC564FHS
VtyYt9aL0co=
=Z9ps
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=3036