| VID |
25024 |
| Severity |
40 |
| Port |
1521 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Database server, according to its version number, has a Link buffer overflow vulnerability in Oracle Net Services. An attacker with a database account may use this flaw to gain the control on the whole database, or even to obtain a shell on the affected host.
The vulnerability arises by providing an overly long parameter for a connect string with the 'CREATE DATABASE LINK' query:
CREATE DATABASE LINK ngss
CONNECT TO hr
IDENTIFIED BY hr
USING 'longstring'
By default, the 'CREATE DATABASE LINK' privilege is assigned to the CONNECT role and as most Oracle accounts are assigned membership of this role. Even low privileged accounts such as SCOTT and ADAMS can create database links. By creating a specially crafted database link and then by selecting from the link:
select * from table@ngss
the overflow can be triggered, overwriting the saved return address on the stack. This allows an attacker to gain control of the Oracle process and permits the execution of arbitrary, user supplied code. Any code supplied would run in the security context of the account running the Oracle database server. On Unix based systems this is typically the 'oracle' user and on Windows the local SYSTEM user. In the former this allows for a full compromise of the data and in the latter a full compromise of the data and the operating system.
* Note: This check solely relied on the version number of the remote Oracle Database server to assess this vulnerability, so this might be a false positive.
* References:
http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf
http://www.nextgenss.com/advisories/ora-dblink.txt
http://www.securityfocus.com/archive/1/319914
* Platforms Affected:
Oracle9i Release 2
Oracle9i Release 1
Oracle8i (8.1.x - all releases)
Oracle8 (8.0.x - all releases)
Oracle7 Release 7.3.x |
| Recommendation |
Apply the appropriate patch for your system. The patches is listed in the Patch Availability Matrix at http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf
The patch READMEs contain the patch application instructions/configuration guide.
An interim (one-off patch) for this issue is available for these affected database versions:
o Oracle 9i Release 2, version 9.2.0.2 (excluding Windows)
o Oracle 9i Release 1, version 9.0.1.4
o Oracle 8i Release 3, version 8.1.7.4
o Oracle8 Database, Version 8.0.6.3 (Desupported release; however, patch is available for Extended Maintenance Support customers.)
Currently there are no plans to release a patch for 8.0.5.x, 8.1.5.x, 8.1.6.x, 7.3.x, or other patchsets of the supported releases. To download these one-off patches:
1. Go to the Oracle Support Services web site, Metalink ( http://metalink.oracle.com ),
2. Click on the Patches button.
3. Click on the "New Metalink Patch Search". If you are not on the "Simple Search" screen, click on the "Simple" button to get to the "Simple Search" screen.
4. Refer to the Patch Availability Matrix above to determine the patch number required.
5. In the "Search By" option select "Patch Numbers(s)" from the drop-down menu, and enter the required patch number in the box.
6. Click on the "Go" button.
7. Select the required platform and language.
8. Click on the "Download" button.
9. Recommended: you should also click on the "View README" button for additional information and instructions.
Please review Metalink, or check with Oracle Support Services periodically for patch
availability if the patch for your platform is unavailable.
For details, see also http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf |
| Related URL |
CVE-2003-0222 (CVE) |
| Related URL |
7453 (SecurityFocus) |
| Related URL |
(ISS) |
|
