From nisr@ngssoftware.com Wed Jun 12 16:04:22 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Wed, 12 Jun 2002 15:09:22 +0100 Subject: Oracle Reports Server Buffer Overflow (#NISR12062002B) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Oracle 9iAS Reports Server Systems: All Severity: High Risk Category: Remote Buffer Overrun Vulnerability Vendor URL: http://www.oracle.com/ Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/orarep.txt Date: 12th June 2002 Advisory number: #NISR12062002B (VNA Reference: http://www.nextgenss.com/vna/ora-reports.txt ) Description *********** Oracle's Report Server contains a remotely exploitable buffer overrun vulnerability in one of its CGI based programs. Details ******* By supplying an overly long database name parameter to the rwcgi60 with the setauth method, a remote attacker can overwrite a saved return address on the stack, gaining control over the processes execution. Any exploit code supplied by the attacker will run in the security context of account the web server is running as. Normally on platforms running a unix variant the account has limited privileges; However, on Windows based system the web server, by default, runs in the context of the local SYSTEM account. Fix Information *************** NGSSoftware alerted Oracle to this problem on December the 17th 2001 and Oracle have now released patches which are available from the Metalink site. The patch number is 2356680.