Oracle TNS Listener Buffer Overflow

June 12th, 2002

NGSSoftware Insight Security Research Advisory

Name: Oracle TNS Listener Buffer Overflow

Systems: Windows and VM running all versions of Oracle 9i Database

Severity: High Risk

Category: Remote Buffer Overrun Vulnerability

Vendor URL: http://www.oracle.com/

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/oratns.txt

Date: 12th June 2002

Advisory number: #NISR12062002A

(VNA reference : http://www.nextgenss.com/vna/ora-lsnr.txt )

Description

***********

The Oracle Net Listener contains a remotely exploitable buffer overrun

vulnerability that can allow an attacker to gain complete control of a

machine running the Oracle 9i Database.

Details

*******

The Listener ‘listens’ on TCP port 1521 for client request to use the

database. On receiving a request the client is passed off to an instance of

the database. The request, packaged in a valid TNS packet is of the form

(DESCRIPTION=(ADDRESS=

(PROTOCOL=TCP)(HOST=x.x.x.x)

(PORT=1521))(CONNECT_DATA=

(SERVICE_NAME=myorcl.ngssoftware.com)

(CID=

(PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)

(HOST=foo)(USER=bar))))

By supplying an overly long SERVICE_NAME parameter, when forming an error

message to be written to the log file, a saved return address on the stack

is overwritten thus gaining control over the processes execution. Any code

supplied by the attacker will run, by default, in the context of the Local

SYSTEM account on Windows platforms and as such is a high risk

vulnerability. Because the overflow occurs before the error message is

actually written to the log file it may be difficult to detect if an attack

has occured. Customers are advised to patch this as soon as is possible.

Fix Information

***************

NGSSoftware alerted Oracle to this problem on the 13th of May and Oracle

have now released patches which are available from the Metalink site. The

patch number is 2367681.

A check for this vulnerability has been added to Typhon II, NGSSoftware’s

vulnerability assessment scanner, of which, more information is available

from the NGSSite, http://www.ngssoftware.com/

Section Navigation


Red Nose Day 2009

Red Nose Day 2009

Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls