| VID |
25022 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Database Server, according to its version number, is vulnerable to a buffer overflow attack via an overly long username. Oracle is the leader in the database market with a 54% market share lead under ERP (Enterprise Resource Planning). Oracle 8i and 9i are vulnerable
to a remotely exploitable buffer overflow vulnerability. By supplying an overly long username when attempting to log onto the database server an attacker can overflow a stack based buffer and execute arbitrary code on the system with the same privileges as the user running the service; this account is typically "Oracle" on Linux/Unix based platforms and Local System on Windows based operating systems such as NT/2000/XP. As such this allows for a complete compromise of the data stored in the database and possibly a complete compromise of the operating system.
* Note: This check solely relied on the version number of the remote Oracle Listener to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
Oracle9i Release 2
Oracle9i Release 1
Oracle8i v 8.1.7
Oracle8 v 8.0.6
* References:
http://www.securityfocus.com/archive/1/312035
http://www.securiteam.com/securitynews/5NP0B2095E.html |
| Recommendation |
Apply the appropriate patch for your system, available from the Oracle Web site, http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
