CERT Advisory CA-2001-16

[Janicki at ia-inc.com (Chris Janicki)]

Rookie question:  How is it possible for a buffer overflow to allow 
access?  Does the overflow automatically provide a shell?  Or does it put 
the process in some debugging mode with remote privileges?



>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 7/3/01, 4:15:50 PM, BayBrianA at aol.com wrote regarding CERT Advisory 
CA-2001-16:


>  -----BEGIN PGP SIGNED MESSAGE-----

>  CERT Advisory CA-2001-16 Oracle 8i contains buffer overflow in TNS 
listener

>     Original release date: July 03, 2001
>     Last revised: --
>     Source: CERT/CC

>     A complete revision history is at the end of this file.

>  Systems Affected

>       * Systems running Oracle 8i

>  Overview

>     A vulnerability in Oracle 8i allows remote intruders to assume 
control
>     of database servers running on victim machines. If the Oracle server
>     is running on a Windows system, an intruder may also be able to gain
>     contol of the underlying operating system.

>  I. Description

>     The COVERT labs at PGP Security have discovered a buffer overflow
>     vulnerability in Oracle 8i that allows intruders to execute arbitrary
>     code with the privileges of the TNS listener process. The
>     vulnerability occurs in a section of code that is executed prior to
>     authentication, so an intruder does not require a username or
>     password.

>     For more information, see the COVERT Labs Security Advisory, 
available
>     at

>            http://www.pgp.com/research/covert/advisories/050.asp

>  II. Impact

>     An intruder who exploits the vulnerability can remotely execute
>     arbitrary code. On UNIX systems, this code runs as the 'oracle' user.
>     If running on Windows systems, the intruder's code will run in the
>     Local System security context.

>     In either case, the attacker can gain control of the database server
>     on the victim machine. On Windows systems, the intruder can also gain
>     administrative control of the operating system.

>  III. Solutions

>     Install a patch from Oracle. More information is available in
>     Appendix A.

>  Appendix A

>  Oracle

>     Oracle has issued an alert for this vulnerability at

>            http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf

>     Oracle has fixed this potential security vulnerability in the 
Oracle9i
>     database server. Oracle is in the process of backporting the fix to
>     supported Oracle8i database server Releases 8.1.7 and 8.1.6 and
>     Oracle8 Release 8.0.6 on all platforms. The Oracle bug number for the
>     patch is 1489683.

>     Download the patch for your platform from Oracle's Worldwide Support
>     web site, Metalink:

>            http://metalink.oracle.com

>     Please check Metalink periodically for patch availability if the 
patch
>     for your platform is not yet available.
>       _________________________________________________________________

>     Our thanks to COVERT Labs at PGP Security for the information
>     contained in their advisory.
>       _________________________________________________________________

>     This document was written by Shawn V. Hernan. If you have feedback
>     concerning this document, please send email to:

>            
mailto:cert at cert.org?Subject=[VU#620495]%20Feedback%20CA-2001-16

>     Copyright 2001 Carnegie Mellon University.

>     Revision History
>  July 03, 2001: Initial Release

>  -----BEGIN PGP SIGNATURE-----
>  Version: PGPfreeware 5.0i for non-commercial use
>  Charset: noconv

>  iQCVAwUBO0I28QYcfu8gsZJZAQF1AQP/QvE4AO+I5HP8VXK850g83NlPiFCxlG1K
>  51GjO/KCFqK78DoBK9YWvxGaZiR6xKaxYJbGftcJh1zKwNqiRDIGk1OdeW873uhj
>  bR8vjobFMzNSZU5y9gXPa9YQWdEg1KozQH1VuNsBxRnmHu6Yi3WANbmZXYcRck2x
>  lhP8noPes/Q=
>  =nVFt
>  -----END PGP SIGNATURE-----
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).