From nisr@ngssoftware.com Wed Jun 12 16:04:30 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Wed, 12 Jun 2002 15:05:44 +0100 Subject: Oracle TNS Listener Buffer Overflow (#NISR12062002A) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Oracle TNS Listener Buffer Overflow Systems: Windows and VM running all versions of Oracle 9i Database Severity: High Risk Category: Remote Buffer Overrun Vulnerability Vendor URL: http://www.oracle.com/ Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/oratns.txt Date: 12th June 2002 Advisory number: #NISR12062002A (VNA reference : http://www.nextgenss.com/vna/ora-lsnr.txt ) Description *********** The Oracle Net Listener contains a remotely exploitable buffer overrun vulnerability that can allow an attacker to gain complete control of a machine running the Oracle 9i Database. Details ******* The Listener 'listens' on TCP port 1521 for client request to use the database. On receiving a request the client is passed off to an instance of the database. The request, packaged in a valid TNS packet is of the form (DESCRIPTION=(ADDRESS= (PROTOCOL=TCP)(HOST=x.x.x.x) (PORT=1521))(CONNECT_DATA= (SERVICE_NAME=myorcl.ngssoftware.com) (CID= (PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE) (HOST=foo)(USER=bar)))) By supplying an overly long SERVICE_NAME parameter, when forming an error message to be written to the log file, a saved return address on the stack is overwritten thus gaining control over the processes execution. Any code supplied by the attacker will run, by default, in the context of the Local SYSTEM account on Windows platforms and as such is a high risk vulnerability. Because the overflow occurs before the error message is actually written to the log file it may be difficult to detect if an attack has occured. Customers are advised to patch this as soon as is possible. Fix Information *************** NGSSoftware alerted Oracle to this problem on the 13th of May and Oracle have now released patches which are available from the Metalink site. The patch number is 2367681. A check for this vulnerability has been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which, more information is available from the NGSSite, http://www.ngssoftware.com/